{"id":3312,"date":"2024-03-07T08:25:23","date_gmt":"2024-03-07T16:25:23","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"},"modified":"2024-03-07T08:25:23","modified_gmt":"2024-03-07T16:25:23","slug":"data-security-customer-managed-encryption-keys-in-capella","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/pt\/data-security-customer-managed-encryption-keys-in-capella\/","title":{"rendered":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella"},"content":{"rendered":"\n<p><span>Capella understands how important data security is to your business, especially when using cloud services. That&#8217;s why we&#8217;re excited to announce a new feature that lets you take control over your data protection: <\/span><b>Customer-Managed Encryption Keys (CMEK).<\/b><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>What is CMEK?<\/span><\/h2>\n\n\n\n<p><span>CMEK is a well-known cloud security practice that allows you to use self-managed encryption keys to encrypt and decrypt data at rest. In this practice, the encryption key is created and resides in the customer-owned environment and is used by the third-party vendor to encrypt\/decrypt customer data that resides with the vendor. The main goal of this practice is to allow customers to fully manage security aspects, like the encryption algorithm and key rotation policies.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Who should use CMEK?<\/span><\/h2>\n\n\n\n<p><span>A customer-managed encryption key system is ideal for businesses that:<br>\n<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span>Handle highly sensitive data subject to strict compliance.<\/span><\/li>\n\n\n<li><span>Need to meet specific data security regulations.<\/span><\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Getting started with CMEK in Capella<\/span><\/h2>\n\n\n\n<p><span>The ability to associate Customer-Managed Encryption Keys is supported via <\/span><a href=\"https:\/\/www.couchbase.com\/blog\/programmatic-admin-capella-management-api\/\"><span>the Capella Management API.<\/span><\/a><span>\u00a0 Today, this feature is available for all AWS and GCP clusters in Capella, where customers can associate the CMEK with a new or an existing cluster.<\/span><\/p>\n\n\n\n<p><span>Under the hood, Capella has no knowledge of the content of the key and uses the key to simply encrypt and decrypt data at rest.<\/span><\/p>\n\n\n\n<p><span>When a CMEK is associated with an existing Capella cluster, the cluster is redeployed, and the persistent volumes are encrypted with this key. This operation also causes an online swap rebalance of the nodes to allow Capella to encrypt the data in a reliable manner.<\/span><\/p>\n\n\n\n<p><span>This blog is a tutorial where we will create a new Customer-Managed Encryption Key and associate it to a Capella cluster. Along the way, we will use the V4 Management APIs to create, associate, and rotate the key.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Prerequisites<\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span>Creating a key in cloud-native Key Management Service (KMS)<\/span><\/h3>\n\n\n\n<p><span>First, we will create a new key in our cloud-native KMS. To do this, ensure you have the right permissions to access the KMS in AWS or GCP programmatically or via the UI console.<\/span><\/p>\n\n\n\n<p><span>Once in the cloud KMS console, while configuring the key, ensure that the key is of type <\/span><b>Symmetric.<\/b><span>\u00a0This will create a single key that can be used for encryption and decryption.<\/span><\/p>\n\n\n\n<p><span>The second important step is to define the Key Usage to allow <\/span><b>Encrypt and Decrypt <\/b><span>operations. This will ensure that the key can be used specifically to encrypt and decrypt data at rest.<\/span><\/p>\n\n\n\n<p><b>AWS:<\/b><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image8.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15387\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image8-1024x459-1.jpg\" alt=\"Accessing key management services\" width=\"900\" height=\"403\"><\/a><\/p>\n\n\n\n<p><b>GCP:<\/b><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image6.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15388\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image6-1024x838-1.jpg\" alt=\"Customer managed keys in GCP\" width=\"900\" height=\"737\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span>Regionality of the Key<\/span><\/h3>\n\n\n\n<p><span>When configuring the key in AWS or GCP, ensure it resides in the same region as the Capella cluster. Both cloud providers allow us to select the regionality of the key, which can be either <em>Single<\/em> or <em>Multi-Regional<\/em>.<\/span><\/p>\n\n\n\n<p><span>In AWS, if the key is <em>multi-region<\/em>, it is important to have at least one key replica in the same region as the Capella cluster. We must then associate this replica key&#8217;s ARN (Amazon Resource Name) with the Capella cluster.<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image9.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15389\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image9-1024x616-1.jpg\" alt=\"Configuring regionality of keys in Capella\" width=\"900\" height=\"541\"><\/a><\/p>\n\n\n\n<p><span>In GCP, a <\/span><b>Global<\/b><span> Key Ring will ensure the key is available in any GCP location. Do check <\/span><a href=\"https:\/\/cloud.google.com\/kms\/docs\/locations?hl=en&amp;_ga=2.91307482.-1591003540.1704397183#regional:\"><span>GCP\u2019s supported locations for Cloud KMS <\/span><\/a><span>and ensure that the Capella cluster\u2019s location matches the supported locations for KMS.<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image4.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15390\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image4-1024x910-1.jpg\" alt=\"Create a global key ring GCP\" width=\"900\" height=\"800\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span>Capella V4 Management API Setup<\/span><\/h3>\n\n\n\n<p><span>For the next steps in this tutorial, we will need access to execute V4 Management APIs in Capella. Follow <\/span><a href=\"https:\/\/www.couchbase.com\/blog\/programmatic-admin-capella-management-api\/\"><span>this blog<\/span><\/a><span> to quickly get started with the V4 Management APIs.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Step 1: Making the Key Accessible to Capella<\/span><\/h2>\n\n\n\n<p><span>Now that we have a CMEK successfully created in our self-managed cloud account, we need to ensure that Capella is able to use this key to encrypt\/decrypt data at rest.<\/span><\/p>\n\n\n\n<p><span>To provide this access, we must first capture Capella\u2019s corresponding cloud account ID, which is unique to each organization deployed in Capella.<\/span><\/p>\n\n\n\n<p><span>Execute this V4 API to get the information:<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;default&#8221; decode=&#8221;true&#8221;]curl &#8211;request GET  https:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cloudAccounts&amp;nbsp; &#8211;header &#8216;Authorization: Bearer &lt;V4 API Key Secret&gt;'[\/crayon]<\/p>\n\n\n\n<p><span>A sample response will look something like this &#8211;<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;js&#8221; decode=&#8221;true&#8221;]{<br \/>\n &#8220;aws-capella-account&#8221;: &#8220;1234567890&#8221;,<br \/>\n &#8220;azure-capella-subscription&#8221;: &#8220;cb-1234567890abcdef&#8221;,<br \/>\n &#8220;gcp-capella-project&#8221;: &#8220;cb-1234567890abcdef&#8221;<br \/>\n}[\/crayon]<\/p>\n\n\n\n<p><span>Copy the corresponding cloud account ID. Ex: If your CMEK is located in AWS, copy the Capella AWS account ID. This also means you need to create a CMEK in the same cloud provider as your Capella cluster\u2019s cloud provider.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span>Updating the Key Access Policy<\/span><\/h3>\n\n\n\n<p><span>In AWS, add access to Capella by updating the CMEK\u2019s access policy as follows:<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;js&#8221; decode=&#8221;true&#8221;]{<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Sid&#8221;: &#8220;Allow use of the key&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Effect&#8221;: &#8220;Allow&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Principal&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;AWS&#8221;: &#8220;arn:aws:iam::&lt;capella-aws-account-id&gt;:root&#8221;<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Action&#8221;: [<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;kms:DescribeKey&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;kms:GenerateDataKeyWithoutPlainText&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;kms:Decrypt&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;kms:ReEncrypt*&#8221;<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0],<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Resource&#8221;: &#8220;*&#8221;<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Sid&#8221;: &#8220;Allow attachment of persistent resources&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Effect&#8221;: &#8220;Allow&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Principal&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;AWS&#8221;: &#8220;arn:aws:iam::&lt;capella-aws-account-id&gt;:root&#8221;<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Action&#8221;: &#8220;kms:CreateGrant&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Resource&#8221;: &#8220;*&#8221;,<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Condition&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;Bool&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8220;kms:GrantIsForAWSResource&#8221;: &#8220;true&#8221;<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}[\/crayon]<\/p>\n\n\n\n<p><span>Replace <\/span><b>&lt;capella-aws-account-id&gt;<\/b><span> placeholder with the value for <\/span><i><span>aws-capella-account<\/span><\/i><span> from the API response.<\/span><\/p>\n\n\n\n<p><span>For GCP, simply grant <\/span><i><span>Cloud KMS CryptoKey Encrypter\/Decrypter<\/span><\/i><span> permissions to Capella\u2019s Service account: <\/span><i><span>rc-cluster-admin@&lt;capella-gcp-project-id&gt;.iam.gserviceaccount.com<\/span><\/i><span>.<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image3.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15391\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image3-911x1024-1.jpg\" alt=\"Cloud KMS CryptoKey Encrypter\/Decrypter\" width=\"900\" height=\"1012\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Step 2: Informing Capella about the Key<\/span><\/h2>\n\n\n\n<p><span>In Step 1, we ensured that Capella was able to use the key to encrypt\/decrypt data at rest. In this step, we need to inform Capella that such a CMEK exists and that it can be used by clusters.<\/span><\/p>\n\n\n\n<p><span>We will now add the CMEK metadata to our Capella organization:<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;default&#8221; decode=&#8221;true&#8221;]curl &#8211;request POST<br \/>\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cmek<br \/>\n\u00a0\u00a0&#8211;header &#8216;Authorization: Bearer &lt;V4 API Key Secret&gt;&#8217;<br \/>\n\u00a0\u00a0&#8211;header &#8216;Content-Type: application\/json&#8217;<br \/>\n\u00a0\u00a0&#8211;data &#8216;{<br \/>\n\u00a0\u00a0&#8220;name&#8221;: &#8220;Test Key&#8221;,<br \/>\n\u00a0\u00a0&#8220;description&#8221;: &#8220;Description of the Key&#8221;,<br \/>\n\u00a0\u00a0&#8220;config&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0&#8220;arn&#8221;: &#8220;arn:aws:kms:us-east-1:&lt;customer-owned-aws-account-id&gt;:key\/&lt;key-id&gt;&#8221;<br \/>\n\u00a0\u00a0}<br \/>\n}'[\/crayon]<\/p>\n\n\n\n<p><span>Remember, here, the key config ARN is the ARN of the key, as seen in the customer-owned AWS account:<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15392\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image1-1024x179-1.jpg\" alt=\"the ARN of the key, as seen in the customer-owned AWS account\" width=\"900\" height=\"157\"><\/a><\/p>\n\n\n\n<p><span>For GCP, the API payload will accept the <em>resourceName<\/em> of the KMS key.<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;default&#8221; decode=&#8221;true&#8221;]curl &#8211;request POST<br \/>\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cmek<br \/>\n\u00a0\u00a0&#8211;header &#8216;Authorization: Bearer &lt;V4 API Key Secret&gt;&#8217;<br \/>\n\u00a0\u00a0&#8211;header &#8216;Content-Type: application\/json&#8217;<br \/>\n\u00a0\u00a0&#8211;data &#8216;{<br \/>\n\u00a0\u00a0&#8220;name&#8221;: &#8220;Test Key&#8221;,<br \/>\n\u00a0\u00a0&#8220;description&#8221;: &#8220;Description of the Key&#8221;,<br \/>\n\u00a0\u00a0&#8220;config&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0&#8220;resourceName&#8221;: &#8220;projects\/&lt;gcp-project-name&gt;\/locations\/global\/keyRings\/&lt;keyring-name&gt;\/cryptoKeys\/&lt;key-name&gt;&#8221;<br \/>\n\u00a0\u00a0}}'[\/crayon]<\/p>\n\n\n\n<p><span>This API will respond with a CMEK ID. Please note this ID as it will be used in subsequent API calls.<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image5.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15393\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image5-1024x213-1.jpg\" alt=\"\" width=\"900\" height=\"187\"><\/a><\/p>\n\n\n\n<p><span>Once the key is added to Capella, we can easily perform list, read, and delete key operations using the V4 APIs on this key. <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html#tag\/cmek\"><i><span>See this API specification for more details.<\/span><\/i><\/a><\/p>\n\n\n\n<p><i><span>Do note that Capella will only allow the deletion of the key if no cluster is actively associated with the key.<\/span><\/i><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Step 3: Associating the Encryption Key with a Cluster<\/span><\/h2>\n\n\n\n<p><span>Next, we want to use this CMEK to encrypt\/decrypt the data in one of our Capella clusters. To do this, note down the project ID and cluster ID of the particular cluster from the Capella UI.<\/span><\/p>\n\n\n\n<p><span>Use this API to associate the CMEK with the said cluster. The <em>cmekId<\/em> is the ID received in Step 2 when the CMEK metadata was added to Capella:<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;default&#8221; decode=&#8221;true&#8221;]curl &#8211;request POST<br \/>\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/projects\/{projectId}\/clusters\/{clusterId}\/cmek\/{cmekId}\/associate<br \/>\n\u00a0&#8211;header &#8216;Authorization: Bearer &lt;V4 API Key Secret&gt;'[\/crayon]<\/p>\n\n\n\n<p><span>Once this API is invoked, the cluster will be redeployed while Capella moves all the data to new persistent volumes. These volumes are newly created with the provided CMEK. This operation will result in a swap rebalance across all nodes of the cluster, without any downtime. The activity typically takes ~5-10 mins, depending on the data and cluster size.<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15394\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image2-1024x103-1.jpg\" alt=\"Associating the Encryption Key with a Cluster\" width=\"900\" height=\"91\"><\/a><\/p>\n\n\n\n<p><span>Finally, we will see the cluster return to a healthy status and the CMEK associated with the cluster. We can find this information by making a <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html#tag\/clusters\/operation\/getCluster\"><span>GET cluster details API<\/span><\/a><span> call.<\/span><\/p>\n\n\n\n<p><span>To unassociate the key from the cluster, simply execute this API:<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;default&#8221; decode=&#8221;true&#8221;]curl &#8211;request POST<br \/>\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/projects\/{projectId}\/clusters\/{clusterId}\/cmek\/{cmekId}\/unassociate<br \/>\n\u00a0&#8211;header &#8216;Authorization: Bearer &lt;V4 API Key Secret&gt;'[\/crayon]<\/p>\n\n\n\n<p><span>This will redeploy the cluster, remove the key, and use a new encryption key fully managed by Capella to encrypt the data at rest. This activity, too, results in a swap rebalance and takes a few minutes.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span>Associating the Key with a New Cluster<\/span><\/h3>\n\n\n\n<p><span>The key can be associated with a new cluster by executing the <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html#tag\/clusters\/operation\/postCluster\"><span>create cluster API<\/span><\/a><span> and passing CMEK ID in the request payload as follows:<\/span><\/p>\n\n\n\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image7.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15395\" src=\"https:\/\/www.couchbase.com\/wp-content\/uploads\/sites\/5\/2026\/05\/image7-779x1024-1.jpg\" alt=\"\" width=\"779\" height=\"1024\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Step 4: Rotating the Encryption Key<\/span><\/h2>\n\n\n\n<p><span>An important aspect of enhanced data security is to rotate the encryption key on a schedule. Capella allows you to inform about key rotations but cannot rotate the key itself. The rotation period can be decided as per your security governance policies.<\/span><\/p>\n\n\n\n<p><span>To do this, create a new CMEK in your cloud-native KMS account. Invoke the following API to inform Capella to update the key ARN or key resource name for the same CMEK ID that is associated with the Capella cluster(s).<\/span><\/p>\n\n\n<p>[crayon nums=&#8221;false&#8221; wrap=&#8221;true&#8221; lang=&#8221;js&#8221; decode=&#8221;true&#8221;]curl &#8211;request PUT<br \/>\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cmek\/{cmekId}<br \/>\n\u00a0\u00a0&#8211;header &#8216;Authorization: Bearer &lt;V4 API Key Secret&gt;&#8217;<br \/>\n\u00a0\u00a0&#8211;header &#8216;Content-Type: application\/json&#8217;<br \/>\n\u00a0\u00a0&#8211;data &#8216;{<br \/>\n\u00a0\u00a0\u00a0&#8220;config&#8221;: {<br \/>\n\u00a0\u00a0\u00a0\u00a0&#8220;arn&#8221;: &#8220;arn:aws:kms:us-east-1:&lt;customer-owned-aws-account-id&gt;:key\/&lt;key-id&gt;&#8221;<br \/>\n\u00a0\u00a0}<br \/>\n}'[\/crayon]<\/p>\n\n\n\n<p><span>While AWS and GCP allow us to provide a rotation policy for the same key resource, due to restricted access, Capella cannot detect if the key was rotated automatically in your cloud account(s). Hence, the above key rotation API will only accept a key resource name different from the original key\u2019s resource name.<\/span><\/p>\n\n\n\n<p><span>Once this API is invoked, Capella will automatically detect all clusters using the key with the said CMEK ID and perform a re-deployment to rotate the associated CMEK. Capella will remove the older key resource and associate the new key resource with the cluster\u2019s persistent volumes. This operation will also result in a swap-rebalance of the data across all nodes of the cluster(s), again without any downtime.<\/span><\/p>\n\n\n\n<p><span>Finally, you will see that the clusters are back to a healthy state, and the new key resource is associated with the said CMEK ID.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Conclusion<\/span><\/h2>\n\n\n\n<p><span>This is how you can take control of your data security by using Customer-Managed Encryption Keys for all your Couchbase clusters in Capella.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span>Resources and Next Steps<\/span><\/h2>\n\n\n\n<p><span>Check out these links on the V4 Management API reference and the detailed documentation for using Customer Managed Encryption Keys:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html\"><span>Capella Management API Reference<\/span><\/a><\/li>\n\n\n<li><a href=\"https:\/\/docs.couchbase.com\/cloud\/security\/cmek.html\"><span>Customer Managed Encryption Keys (CMEK) in Capella<\/span><\/a><\/li>\n\n<\/ul>\n\n\n\n<p><span>If you have questions or feedback, please leave a comment below. The <\/span><a href=\"https:\/\/forums.couchbase.com\/\"><span>Couchbase Forums<\/span><\/a><span> or <\/span><a href=\"https:\/\/discord.com\/invite\/K7NPMPGrPk\"><span>Couchbase Discord<\/span><\/a><span> channels are another good place to reach out with questions.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Capella understands how important data security is to your business, especially when using cloud services. That&#8217;s why we&#8217;re excited to announce a new feature that lets you take control over your data protection: Customer-Managed Encryption Keys (CMEK). What is CMEK? CMEK is a well-known cloud security practice that allows you to use self-managed encryption keys [&hellip;]<\/p>\n","protected":false},"author":85129,"featured_media":3309,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[136,301,94],"tags":[804],"ppma_author":[805],"class_list":["post-3312","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices-and-tutorials","category-cloud","category-security","tag-cmek"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.6 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Customer-Managed Encryption Keys for AWS &amp; GCP in Capella<\/title>\n<meta name=\"description\" content=\"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/pt\/data-security-customer-managed-encryption-keys-in-capella\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unlocking Data Security: Customer-Managed Encryption Keys in Capella\" \/>\n<meta property=\"og:description\" content=\"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/pt\/data-security-customer-managed-encryption-keys-in-capella\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-07T16:25:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_100622853-1024x585.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Talina Shrotriya, Senior Engineering Manager\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Talina Shrotriya, Senior Engineering Manager\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/\"},\"author\":{\"name\":\"Talina Shrotriya, Senior Engineering Manager\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/person\\\/50c96ba341a92708507fcd493a0ecbb8\"},\"headline\":\"Unlocking Data Security: Customer-Managed Encryption Keys in Capella\",\"datePublished\":\"2024-03-07T16:25:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/\"},\"wordCount\":1832,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/5\\\/2026\\\/05\\\/image_2024-03-07_100622853.png\",\"keywords\":[\"CMEK\"],\"articleSection\":[\"Best Practices and Tutorials\",\"Couchbase Capella\",\"Security\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/\",\"name\":\"Customer-Managed Encryption Keys for AWS & GCP in Capella\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/5\\\/2026\\\/05\\\/image_2024-03-07_100622853.png\",\"datePublished\":\"2024-03-07T16:25:23+00:00\",\"description\":\"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/5\\\/2026\\\/05\\\/image_2024-03-07_100622853.png\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/5\\\/2026\\\/05\\\/image_2024-03-07_100622853.png\",\"width\":2665,\"height\":1522},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/data-security-customer-managed-encryption-keys-in-capella\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unlocking Data Security: Customer-Managed Encryption Keys in Capella\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/5\\\/2026\\\/06\\\/logo.svg\",\"contentUrl\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/wp-content\\\/uploads\\\/sites\\\/5\\\/2026\\\/06\\\/logo.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/#\\\/schema\\\/person\\\/50c96ba341a92708507fcd493a0ecbb8\",\"name\":\"Talina Shrotriya, Senior Engineering Manager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d9c24abfcca0232480a59e7b35ce24dbd5f4ecad3a177df7503af2f8df98c65?s=96&d=mm&r=gc38590b0055d896cea88d25cf5370eea\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d9c24abfcca0232480a59e7b35ce24dbd5f4ecad3a177df7503af2f8df98c65?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d9c24abfcca0232480a59e7b35ce24dbd5f4ecad3a177df7503af2f8df98c65?s=96&d=mm&r=g\",\"caption\":\"Talina Shrotriya, Senior Engineering Manager\"},\"url\":\"https:\\\/\\\/www.couchbase.com\\\/blog\\\/pt\\\/author\\\/talinashrotriya\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Customer-Managed Encryption Keys for AWS & GCP in Capella","description":"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/pt\/data-security-customer-managed-encryption-keys-in-capella\/","og_locale":"pt_BR","og_type":"article","og_title":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella","og_description":"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.","og_url":"https:\/\/www.couchbase.com\/blog\/pt\/data-security-customer-managed-encryption-keys-in-capella\/","og_site_name":"The Couchbase Blog","article_published_time":"2024-03-07T16:25:23+00:00","og_image":[{"width":1024,"height":585,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_100622853-1024x585.png","type":"image\/png"}],"author":"Talina Shrotriya, Senior Engineering Manager","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Talina Shrotriya, Senior Engineering Manager","Est. reading time":"9 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"},"author":{"name":"Talina Shrotriya, Senior Engineering Manager","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/50c96ba341a92708507fcd493a0ecbb8"},"headline":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella","datePublished":"2024-03-07T16:25:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"},"wordCount":1832,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_100622853.png","keywords":["CMEK"],"articleSection":["Best Practices and Tutorials","Couchbase Capella","Security"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","url":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","name":"Customer-Managed Encryption Keys for AWS & GCP in Capella","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_100622853.png","datePublished":"2024-03-07T16:25:23+00:00","description":"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_100622853.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_100622853.png","width":2665,"height":1522},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/06\/logo.svg","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/06\/logo.svg","width":"1024","height":"1024","caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/50c96ba341a92708507fcd493a0ecbb8","name":"Talina Shrotriya, Senior Engineering Manager","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/9d9c24abfcca0232480a59e7b35ce24dbd5f4ecad3a177df7503af2f8df98c65?s=96&d=mm&r=gc38590b0055d896cea88d25cf5370eea","url":"https:\/\/secure.gravatar.com\/avatar\/9d9c24abfcca0232480a59e7b35ce24dbd5f4ecad3a177df7503af2f8df98c65?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9d9c24abfcca0232480a59e7b35ce24dbd5f4ecad3a177df7503af2f8df98c65?s=96&d=mm&r=g","caption":"Talina Shrotriya, Senior Engineering Manager"},"url":"https:\/\/www.couchbase.com\/blog\/pt\/author\/talinashrotriya\/"}]}},"acf":[],"authors":[{"term_id":805,"user_id":85129,"is_guest":0,"slug":"talinashrotriya","display_name":"Talina Shrotriya, Senior Engineering Manager","avatar_url":{"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_092247517-3.png","url2x":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/5\/2026\/05\/image_2024-03-07_092247517-3.png"},"0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/posts\/3312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/users\/85129"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/comments?post=3312"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/posts\/3312\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/media\/3309"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/media?parent=3312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/categories?post=3312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/tags?post=3312"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/pt\/wp-json\/wp\/v2\/ppma_author?post=3312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}