Use Confluent CLI with Self-Managed Encryption Keys on Confluent Cloud
You can use the Confluent CLI to create, delete, describe, and list self-managed encryption keys (aka BYOK) for Dedicated Kafka clusters on Confluent Cloud . The sections below provide examples of how to use these Confluent CLI commands to manage your self-managed encryption keys.
For Confluent Cloud on AWS and Azure, you can use the Confluent CLI confluent byok commands to create, delete, describe, and list self-managed encryption keys for Dedicated Kafka clusters.
For Confluent Cloud on Google Cloud, you can use the Confluent CLI
confluent kafka cluster createcommand with the--byokflag to create Dedicated Kafka clusters that use self-managed encryption keys. For details, see confluent kafka cluster create.
Before you begin
To use the examples, make sure that you meet the following prerequisites:
Confluent CLI (v3.3.0 or later) is installed. See Install Confluent CLI.
Sign in to Confluent CLI. See Connect Confluent CLI to Confluent Cloud Cluster.
Create a KMS, or customer-managed, key in your cloud provider account.
Register an encryption key
Before you can create an encrypted cluster, you must register a self-managed key with Confluent Cloud.
To register an encryption key for use with a self-managed encrypted Kafka cluster, use the confluent byok create command.
Using the AWS CLI, run the
aws kms list-keyscommand to get the ARN of the KMS (customer-managed) key in your AWS account.aws kms list-keys
For more information, see Viewing KMS keys with the API.
Note the ARN of the key you want to use for encryption.
Using the Confluent CLI , run the
confluent byok createcommand to register the encryption key with Confluent Cloud.confluent byok create arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
For more information, see confluent byok create.
After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt a Dedicated Cluster using Self-managed Keys on AWS.
Using the Azure CLI, run the
az keyvault showcommand to get the Key Vault URL of the customer-managed key in your Azure Key Vault.az keyvault show --name <key-vault-name> --resource-group <resource-group-name> --query "properties.vaultUri" -o tsv
For more information, see az keyvault show.
Note the Azure Key Vault URL for the key you want to use for encryption.
Using the Confluent Cloud CLI, run the
confluent byok createcommand to register the encryption key with Confluent Cloud.confluent byok create https://vault-name.vault.azure.net/keys/key-name --key-vault /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup-name/providers/Microsoft.KeyVault/vaults/vault-name --tenant 00000000-0000-0000-0000-000000000000
For more information, see confluent byok create.
After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt Cluster using Self-managed Keys on Azure.
Delete a self-managed key from Confluent Cloud
To delete a self-managed key from Confluent Cloud, use the confluent byok delete command.
confluent byok delete <cck-id>
For more information, see confluent byok delete.
Describe a self-managed key
To describe a self-managed key, use the confluent byok describe command.
confluent byok describe <key-id>
For more information, see confluent byok describe.
List self-managed keys
To list all self-managed keys, use the Confluent CLI confluent byok list command. The output includes the cck-id, provider (aws or az), and state (in-use or available).
confluent byok list
For more information, see confluent byok list.