Use Confluent CLI with Self-managed Encryption Keys on Confluent Cloud

You can use the Confluent CLI to create, delete, describe, and list self-managed encryption keys (aka BYOK) for Dedicated Kafka clusters on Confluent Cloud . The sections below provide examples of how to use these Confluent CLI commands to manage your self-managed encryption keys.

  • For Confluent Cloud on AWS and Azure, you can use the Confluent CLI confluent byok commands to create, delete, describe, and list self-managed encryption keys for Dedicated Kafka clusters.
  • For Confluent Cloud on Google Cloud, you can use the Confluent CLI confluent kafka cluster create command with the --byok flag to create Dedicated Kafka clusters that use self-managed encryption keys. For details, see confluent kafka cluster create.

Before you begin

To use the examples, make sure that you meet the following prerequisites:

Register an encryption key

Before you can create an encrypted cluster, you must register a self-managed key with Confluent Cloud.

To register an encryption key for use with a self-managed encrypted Kafka cluster, use the confluent byok create command.

  1. Using the AWS CLI, run the aws kms list-keys command to get the ARN of the KMS (customer-managed) key in your AWS account.

    aws kms list-keys
    

    For more information, see Viewing KMS keys with the API.

  2. Note the ARN of the key you want to use for encryption.

  3. Using the Confluent CLI , run the confluent byok create command to register the encryption key with Confluent Cloud.

    confluent byok create arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
    

    For more information, see confluent byok create.

After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt a Dedicated Cluster using Self-managed Keys on AWS.

Delete a self-managed key from Confluent Cloud

To delete a self-managed key from Confluent Cloud, use the confluent byok delete command.

confluent byok delete <cck-id>

For more information, see confluent byok delete.

Describe a self-managed key

To describe a self-managed key, use the confluent byok describe command.

confluent byok describe <key-id>

For more information, see confluent byok describe.

List self-managed keys

To list all self-managed keys, use the Confluent CLI confluent byok list command. The output includes the cck-id, provider (aws or az), and state (in-use or available).

confluent byok list

For more information, see confluent byok list.