Use Confluent CLI with Self-managed Encryption Keys¶

You can use the Confluent CLI to create, delete, describe, and list self-managed encryption keys (aka BYOK) for Dedicated Kafka clusters on Confluent Cloud . The sections below provide examples of how to use these Confluent CLI commands to manage your self-managed encryption keys.

For Confluent Cloud on AWS and Azure, you can use the Confluent CLI confluent byok commands to create, delete, describe, and list self-managed encryption keys for Dedicated Kafka clusters.
For Confluent Cloud on Google Cloud, you can use the Confluent CLI confluent kafka cluster create command with the --byok flag to create Dedicated Kafka clusters that use self-managed encryption keys. For details, see confluent kafka cluster create.

Before you begin¶

To use the examples, make sure that you meet the following prerequisites:

Confluent CLI (v3.3.0 or later) is installed. See Install Confluent CLI.
Sign in to Confluent CLI. See Connect Confluent CLI to Confluent Cloud Cluster.
Create a KMS, or customer-managed, key in your cloud provider account.

Register an encryption key¶

Before you can create an encrypted cluster, you must register a self-managed key with Confluent Cloud.

To register an encryption key for use with a self-managed encrypted Kafka cluster, use the confluent byok create command.

Using the AWS CLI, run the aws kms list-keys command to get the ARN of the KMS (customer-managed) key in your AWS account.
```
aws kms list-keys
```
For more information, see Viewing KMS keys with the API.
Note the ARN of the key you want to use for encryption.
Using the Confluent CLI , run the confluent byok create command to register the encryption key with Confluent Cloud.
```
confluent byok create arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
```
For more information, see confluent byok create.

After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt a Dedicated Cluster using Self-managed Keys on AWS.

Using the Azure CLI, run the az keyvault show command to get the Key Vault URL of the customer-managed key in your Azure Key Vault.
```
az keyvault show --name <key-vault-name> --resource-group <resource-group-name> --query "properties.vaultUri" -o tsv
```
For more information, see az keyvault show.
Note the Azure Key Vault URL for the key you want to use for encryption.

Using the Confluent Cloud CLI, run the confluent byok create command to register the encryption key with Confluent Cloud.

confluent byok create https://vault-name.vault.azure.net/keys/key-name --key-vault /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup-name/providers/Microsoft.KeyVault/vaults/vault-name --tenant 00000000-0000-0000-0000-000000000000

For more information, see confluent byok create.

After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt Cluster using Self-managed Keys on Azure.

Delete a self-managed key from Confluent Cloud¶

To delete a self-managed key from Confluent Cloud, use the confluent byok delete command.

confluent byok delete <cck-id>

For more information, see confluent byok delete.

Describe a self-managed key¶

To describe a self-managed key, use the confluent byok describe command.

confluent byok describe <key-id>

For more information, see confluent byok describe.

List self-managed keys¶

To list all self-managed keys, use the Confluent CLI confluent byok list command. The output includes the cck-id, provider (aws or az), and state (in-use or available).

confluent byok list

For more information, see confluent byok list.