Manage encryption keys
Protect data at rest with Scalekit managed keys or bring your own from a cloud Key Management Service (KMS).
Scalekit automatically protects data at rest with encryption keys. You can use Scalekit-managed keys or bring your own from a cloud Key Management Service (KMS) provider if your compliance policy requires you to own and control the root key. This guide shows you how to view and manage keys in the dashboard and set up Bring Your Own Key (BYOK) with GCP Cloud KMS.
Key types
| Type | Description |
|---|---|
| Scalekit managed Data Encryption Key (DEK) | Scalekit generates and manages the key. No setup required. |
| Bring your own key (BYOK) | You provide a key from your own KMS. You own the key lifecycle, including rotation and revocation. |
Key states
| State | Description |
|---|---|
| Staged | Created, not yet in use. No data is encrypted with it. |
| Primary | The active key. All new encryption operations use it. |
| Deprecated | Replaced by a newer key. Existing records may still reference it until re-encryption completes. |
Manage keys
Go to Settings and open the Encryption keys tab.
-
Create a key
Click Create New Key and select a provider:
- Scalekit Managed DEK: Scalekit generates and manages the key. Click Create.
- BYOK - GCP Cloud KMS: Complete Set up BYOK with GCP KMS first to create the GCP key and grant access, then enter the key resource name here and click Create.
The key is created in Staged state.
-
Activate the key
Click Activate on a Staged key. The key becomes Primary and Scalekit uses it for all new encryption operations.
-
Re-encrypt existing data
To apply the new key to existing records, click Re-encrypt Data. Scalekit decrypts each existing record with the previous key and re-encrypts it with the new key.
Set up BYOK with GCP KMS
Use BYOK to register an encryption key from Google Cloud KMS that your team owns and controls. Scalekit uses the KMS API for all encrypt and decrypt operations and never stores the key material.
Prerequisites
- A Google Cloud project with the Cloud KMS API enabled
- IAM permissions to create key rings, keys, and set key-level IAM policies
- The Scalekit service account email, shown in the Scalekit dashboard when you select BYOK
gcloudCLI installed and authenticated, or access to the GCP Console
-
Create a key ring
A key ring groups encryption keys by location. Key rings cannot be deleted or renamed once created. Choose the name and location carefully.
Terminal window gcloud kms keyrings create "scalekit-kms-keyring" \--location "global" \--project "YOUR-GCP-PROJECT"Replace
YOUR-GCP-PROJECTwith your Google Cloud project ID.- Open Security > Key management, click Key rings.
- Click Create key ring, enter
scalekit-kms-keyringas the name. - Set Location to Global and click Create.
-
Create an encryption key
Create a symmetric AES-256-GCM key inside the key ring.
Terminal window gcloud kms keys create "scalekit-kms-key" \--location "global" \--keyring "scalekit-kms-keyring" \--purpose "encryption" \--project "YOUR-GCP-PROJECT"- Click the key ring you created, then click Create key.
- Enter
scalekit-kms-keyas the name. - Set Protection level to HSM (recommended) and click Continue.
- Set Key material to HSM-generated and click Continue.
- Set Purpose to Symmetric encrypt/decrypt and click Continue.
- Set Rotation period per your policy and click Create.
-
Grant Scalekit access to the key
Grant both roles at the key level to limit Scalekit’s IAM access to this specific key.
Role Purpose roles/cloudkms.cryptoKeyEncrypterDecrypterEncrypt and decrypt the DEK roles/cloudkms.viewerRead key metadata for health checks and listing Terminal window gcloud kms keys add-iam-policy-binding "scalekit-kms-key" \--keyring "scalekit-kms-keyring" \--location "global" \--project "YOUR-GCP-PROJECT" \--member "serviceAccount:SCALEKIT-SERVICE-ACCOUNT" \--role "roles/cloudkms.cryptoKeyEncrypterDecrypter"gcloud kms keys add-iam-policy-binding "scalekit-kms-key" \--keyring "scalekit-kms-keyring" \--location "global" \--project "YOUR-GCP-PROJECT" \--member "serviceAccount:SCALEKIT-SERVICE-ACCOUNT" \--role "roles/cloudkms.viewer"- In the GCP Console, open Security > Key management, click Key rings, then click the key ring name.
- Click the key name, then open the Permissions tab.
- Click Grant access. A side panel opens.
- In the New principals field, enter the Scalekit service account email. Copy it from Settings > Encryption keys > Create New Key > BYOK - GCP Cloud KMS in the Scalekit dashboard.
- In the Assign Roles section, select Cloud KMS CryptoKey Encrypter/Decrypter from the first Role dropdown.
- Click + Add another role and select Cloud KMS Viewer.
- Click Save. The policy update takes effect within a few minutes.
-
Register the key in Scalekit
- In the Scalekit dashboard, go to Settings and open the Encryption keys tab.
- Click Create New Key and select BYOK - GCP Cloud KMS.
- Copy the Scalekit service account email shown in the modal. You need it for step 3 if you have not granted IAM access yet.
- Enter the fully-qualified GCP key resource name:
projects/YOUR-GCP-PROJECT/locations/global/keyRings/scalekit-kms-keyring/cryptoKeys/scalekit-kms-keyTo retrieve the exact name from the CLI:
Terminal window gcloud kms keys describe "scalekit-kms-key" \--keyring "scalekit-kms-keyring" \--location "global" \--project "YOUR-GCP-PROJECT" \--format="value(name)"- Click Create. The key is created in Staged state.
Key resource name format
The key reference must follow this format:
projects/{PROJECT_ID}/locations/{LOCATION}/keyRings/{KEYRING_NAME}/cryptoKeys/{KEY_NAME}To retrieve the key ring path:
Terminal window gcloud kms keyrings describe "scalekit-kms-keyring" \--location "global" \--project "YOUR-GCP-PROJECT" \--format="value(name)"Append
/cryptoKeys/scalekit-kms-keyto get the full key reference. -
Activate the key
Click Activate on the staged key. The key becomes Primary and Scalekit uses it for all new encryption operations.
-
Re-encrypt existing data
Activation covers new writes automatically. Click Re-encrypt Data to migrate existing records. Scalekit decrypts each record with the previous key and re-encrypts it with the new key.
Monitor with audit logs
Cloud KMS logs every cryptographic operation to Cloud Audit Logs. Use this filter in Cloud Logging to see all encrypt, decrypt, and key events for your key:
resource.type="cloudkms_cryptokey"Fix common errors
Permission denied when activating or using the key
Check that both IAM bindings are applied to the correct key:
gcloud kms keys get-iam-policy "scalekit-kms-key" \ --keyring "scalekit-kms-keyring" \ --location "global" \ --project "YOUR-GCP-PROJECT"The output should list the Scalekit service account with both roles/cloudkms.cryptoKeyEncrypterDecrypter and roles/cloudkms.viewer. If the bindings are missing, repeat step 3.
Re-encryption reports unrecoverable rows
Unrecoverable rows are records that could not be re-encrypted, typically because the previous key version was disabled or destroyed before re-encryption completed.
Contact Scalekit support if you need help recovering affected records.
Key resource name is not accepted
Verify the format is exactly:
projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAMERun gcloud kms keys describe with --format="value(name)" to retrieve the exact string. Do not construct it manually.