Use Confluent CLI with Self-managed Encryption Keys on Confluent Cloud¶
You can use the Confluent CLI to create, delete, describe, and list self-managed encryption keys (aka BYOK) for Dedicated Kafka clusters on Confluent Cloud . The sections below provide examples of how to use these Confluent CLI commands to manage your self-managed encryption keys.
- For Confluent Cloud on AWS and Azure, you can use the Confluent CLI confluent byok commands to create, delete, describe, and list self-managed encryption keys for Dedicated Kafka clusters.
- For Confluent Cloud on Google Cloud, you can use the Confluent CLI
confluent kafka cluster create
command with the--byok
flag to create Dedicated Kafka clusters that use self-managed encryption keys. For details, see confluent kafka cluster create.
Before you begin¶
To use the examples, make sure that you meet the following prerequisites:
- Confluent CLI (v3.3.0 or later) is installed. See Install Confluent CLI.
- Sign in to Confluent CLI. See Connect Confluent CLI to Confluent Cloud Cluster.
- Create a KMS, or customer-managed, key in your cloud provider account.
Register an encryption key¶
Before you can create an encrypted cluster, you must register a self-managed key with Confluent Cloud.
To register an encryption key for use with a self-managed encrypted Kafka cluster, use the
confluent byok create
command.
Using the AWS CLI, run the
aws kms list-keys
command to get the ARN of the KMS (customer-managed) key in your AWS account.aws kms list-keys
For more information, see Viewing KMS keys with the API.
Note the ARN of the key you want to use for encryption.
Using the Confluent CLI , run the
confluent byok create
command to register the encryption key with Confluent Cloud.confluent byok create arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
For more information, see confluent byok create.
After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt a Dedicated Cluster using Self-managed Keys on AWS.
Using the Azure CLI, run the
az keyvault show
command to get the Key Vault URL of the customer-managed key in your Azure Key Vault.az keyvault show --name <key-vault-name> --resource-group <resource-group-name> --query "properties.vaultUri" -o tsv
For more information, see az keyvault show.
Note the Azure Key Vault URL for the key you want to use for encryption.
Using the Confluent Cloud CLI, run the
confluent byok create
command to register the encryption key with Confluent Cloud.confluent byok create https://vault-name.vault.azure.net/keys/key-name --key-vault /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup-name/providers/Microsoft.KeyVault/vaults/vault-name --tenant 00000000-0000-0000-0000-000000000000
For more information, see confluent byok create.
After successfully registering the encryption key, you can use it to create a Dedicated Kafka cluster that uses a self-managed key for encryption. For steps on creating a Dedicated Kafka cluster that uses a self-managed key for encryption, see Encrypt Cluster using Self-managed Keys on Azure.
Delete a self-managed key from Confluent Cloud¶
To delete a self-managed key from Confluent Cloud, use the confluent byok delete
command.
confluent byok delete <cck-id>
For more information, see confluent byok delete.
Describe a self-managed key¶
To describe a self-managed key, use the confluent byok describe
command.
confluent byok describe <key-id>
For more information, see confluent byok describe.
List self-managed keys¶
To list all self-managed keys, use the Confluent CLI confluent byok list
command. The output
includes the cck-id
, provider (aws
or az
), and state (in-use
or available
).
confluent byok list
For more information, see confluent byok list.