Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Manage encryption keys

Protect data at rest with Scalekit managed keys or bring your own from a cloud Key Management Service (KMS).

Scalekit automatically protects data at rest with encryption keys. You can use Scalekit-managed keys or bring your own from a cloud Key Management Service (KMS) provider if your compliance policy requires you to own and control the root key. This guide shows you how to view and manage keys in the dashboard and set up Bring Your Own Key (BYOK) with GCP Cloud KMS.

Key types

TypeDescription
Scalekit managed Data Encryption Key (DEK)Scalekit generates and manages the key. No setup required.
Bring your own key (BYOK)You provide a key from your own KMS. You own the key lifecycle, including rotation and revocation.

Key states

StateDescription
StagedCreated, not yet in use. No data is encrypted with it.
PrimaryThe active key. All new encryption operations use it.
DeprecatedReplaced by a newer key. Existing records may still reference it until re-encryption completes.

Manage keys

Go to Settings and open the Encryption keys tab.

  1. Create a key

    Click Create New Key and select a provider:

    • Scalekit Managed DEK: Scalekit generates and manages the key. Click Create.
    • BYOK - GCP Cloud KMS: Complete Set up BYOK with GCP KMS first to create the GCP key and grant access, then enter the key resource name here and click Create.

    The key is created in Staged state.

  2. Activate the key

    Click Activate on a Staged key. The key becomes Primary and Scalekit uses it for all new encryption operations.

  3. Re-encrypt existing data

    To apply the new key to existing records, click Re-encrypt Data. Scalekit decrypts each existing record with the previous key and re-encrypts it with the new key.

Set up BYOK with GCP KMS

Use BYOK to register an encryption key from Google Cloud KMS that your team owns and controls. Scalekit uses the KMS API for all encrypt and decrypt operations and never stores the key material.

Prerequisites

  • A Google Cloud project with the Cloud KMS API enabled
  • IAM permissions to create key rings, keys, and set key-level IAM policies
  • The Scalekit service account email, shown in the Scalekit dashboard when you select BYOK
  • gcloud CLI installed and authenticated, or access to the GCP Console
  1. Create a key ring

    A key ring groups encryption keys by location. Key rings cannot be deleted or renamed once created. Choose the name and location carefully.

    Terminal window
    gcloud kms keyrings create "scalekit-kms-keyring" \
    --location "global" \
    --project "YOUR-GCP-PROJECT"

    Replace YOUR-GCP-PROJECT with your Google Cloud project ID.

  2. Create an encryption key

    Create a symmetric AES-256-GCM key inside the key ring.

    Terminal window
    gcloud kms keys create "scalekit-kms-key" \
    --location "global" \
    --keyring "scalekit-kms-keyring" \
    --purpose "encryption" \
    --project "YOUR-GCP-PROJECT"
  3. Grant Scalekit access to the key

    Grant both roles at the key level to limit Scalekit’s IAM access to this specific key.

    RolePurpose
    roles/cloudkms.cryptoKeyEncrypterDecrypterEncrypt and decrypt the DEK
    roles/cloudkms.viewerRead key metadata for health checks and listing
    Terminal window
    gcloud kms keys add-iam-policy-binding "scalekit-kms-key" \
    --keyring "scalekit-kms-keyring" \
    --location "global" \
    --project "YOUR-GCP-PROJECT" \
    --member "serviceAccount:SCALEKIT-SERVICE-ACCOUNT" \
    --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    gcloud kms keys add-iam-policy-binding "scalekit-kms-key" \
    --keyring "scalekit-kms-keyring" \
    --location "global" \
    --project "YOUR-GCP-PROJECT" \
    --member "serviceAccount:SCALEKIT-SERVICE-ACCOUNT" \
    --role "roles/cloudkms.viewer"
  4. Register the key in Scalekit

    • In the Scalekit dashboard, go to Settings and open the Encryption keys tab.
    • Click Create New Key and select BYOK - GCP Cloud KMS.
    • Copy the Scalekit service account email shown in the modal. You need it for step 3 if you have not granted IAM access yet.
    • Enter the fully-qualified GCP key resource name:
    projects/YOUR-GCP-PROJECT/locations/global/keyRings/scalekit-kms-keyring/cryptoKeys/scalekit-kms-key

    To retrieve the exact name from the CLI:

    Terminal window
    gcloud kms keys describe "scalekit-kms-key" \
    --keyring "scalekit-kms-keyring" \
    --location "global" \
    --project "YOUR-GCP-PROJECT" \
    --format="value(name)"
    • Click Create. The key is created in Staged state.
    Key resource name format

    The key reference must follow this format:

    projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEYRING_NAME}/cryptoKeys/{KEY_NAME}

    To retrieve the key ring path:

    Terminal window
    gcloud kms keyrings describe "scalekit-kms-keyring" \
    --location "global" \
    --project "YOUR-GCP-PROJECT" \
    --format="value(name)"

    Append /cryptoKeys/scalekit-kms-key to get the full key reference.

  5. Activate the key

    Click Activate on the staged key. The key becomes Primary and Scalekit uses it for all new encryption operations.

  6. Re-encrypt existing data

    Activation covers new writes automatically. Click Re-encrypt Data to migrate existing records. Scalekit decrypts each record with the previous key and re-encrypts it with the new key.

Monitor with audit logs

Cloud KMS logs every cryptographic operation to Cloud Audit Logs. Use this filter in Cloud Logging to see all encrypt, decrypt, and key events for your key:

resource.type="cloudkms_cryptokey"

Fix common errors

Permission denied when activating or using the key

Check that both IAM bindings are applied to the correct key:

Terminal window
gcloud kms keys get-iam-policy "scalekit-kms-key" \
--keyring "scalekit-kms-keyring" \
--location "global" \
--project "YOUR-GCP-PROJECT"

The output should list the Scalekit service account with both roles/cloudkms.cryptoKeyEncrypterDecrypter and roles/cloudkms.viewer. If the bindings are missing, repeat step 3.

Re-encryption reports unrecoverable rows

Unrecoverable rows are records that could not be re-encrypted, typically because the previous key version was disabled or destroyed before re-encryption completed.

Contact Scalekit support if you need help recovering affected records.

Key resource name is not accepted

Verify the format is exactly:

projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME

Run gcloud kms keys describe with --format="value(name)" to retrieve the exact string. Do not construct it manually.