{"id":15386,"date":"2024-03-07T08:25:23","date_gmt":"2024-03-07T16:25:23","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=15386"},"modified":"2024-03-15T08:34:56","modified_gmt":"2024-03-15T15:34:56","slug":"data-security-customer-managed-encryption-keys-in-capella","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","title":{"rendered":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella"},"content":{"rendered":"<p><span style=\"font-weight: 400\">Capella understands how important data security is to your business, especially when using cloud services. That&#8217;s why we&#8217;re excited to announce a new feature that lets you take control over your data protection: <\/span><b>Customer-Managed Encryption Keys (CMEK).<\/b><\/p>\n<h2><span style=\"font-weight: 400\">What is CMEK?<\/span><\/h2>\n<p><span style=\"font-weight: 400\">CMEK is a well-known cloud security practice that allows you to use self-managed encryption keys to encrypt and decrypt data at rest. In this practice, the encryption key is created and resides in the customer-owned environment and is used by the third-party vendor to encrypt\/decrypt customer data that resides with the vendor. The main goal of this practice is to allow customers to fully manage security aspects, like the encryption algorithm and key rotation policies.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Who should use CMEK?<\/span><\/h2>\n<p><span style=\"font-weight: 400\">A customer-managed encryption key system is ideal for businesses that:<br \/>\n<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Handle highly sensitive data subject to strict compliance.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Need to meet specific data security regulations.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400\">Getting started with CMEK in Capella<\/span><\/h2>\n<p><span style=\"font-weight: 400\">The ability to associate Customer-Managed Encryption Keys is supported via <\/span><a href=\"https:\/\/www.couchbase.com\/blog\/programmatic-admin-capella-management-api\/\"><span style=\"font-weight: 400\">the Capella Management API.<\/span><\/a><span style=\"font-weight: 400\">\u00a0 Today, this feature is available for all AWS and GCP clusters in Capella, where customers can associate the CMEK with a new or an existing cluster.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Under the hood, Capella has no knowledge of the content of the key and uses the key to simply encrypt and decrypt data at rest.<\/span><\/p>\n<p><span style=\"font-weight: 400\">When a CMEK is associated with an existing Capella cluster, the cluster is redeployed, and the persistent volumes are encrypted with this key. This operation also causes an online swap rebalance of the nodes to allow Capella to encrypt the data in a reliable manner.<\/span><\/p>\n<p><span style=\"font-weight: 400\">This blog is a tutorial where we will create a new Customer-Managed Encryption Key and associate it to a Capella cluster. Along the way, we will use the V4 Management APIs to create, associate, and rotate the key.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Prerequisites<\/span><\/h2>\n<h3><span style=\"font-weight: 400\">Creating a key in cloud-native Key Management Service (KMS)<\/span><\/h3>\n<p><span style=\"font-weight: 400\">First, we will create a new key in our cloud-native KMS. To do this, ensure you have the right permissions to access the KMS in AWS or GCP programmatically or via the UI console.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Once in the cloud KMS console, while configuring the key, ensure that the key is of type <\/span><b>Symmetric.<\/b><span style=\"font-weight: 400\">\u00a0This will create a single key that can be used for encryption and decryption.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The second important step is to define the Key Usage to allow <\/span><b>Encrypt and Decrypt <\/b><span style=\"font-weight: 400\">operations. This will ensure that the key can be used specifically to encrypt and decrypt data at rest.<\/span><\/p>\n<p><b>AWS:<\/b><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image8.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15387\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image8-1024x459.jpg\" alt=\"Accessing key management services\" width=\"900\" height=\"403\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image8-1024x459.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image8-300x134.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image8-768x344.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image8-1536x688.jpg 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image8-1320x592.jpg 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image8.jpg 1794w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p><b>GCP:<\/b><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image6.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15388\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image6-1024x838.jpg\" alt=\"Customer managed keys in GCP\" width=\"900\" height=\"737\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image6-1024x838.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image6-300x246.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image6-768x629.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image6.jpg 1268w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<h3><span style=\"font-weight: 400\">Regionality of the Key<\/span><\/h3>\n<p><span style=\"font-weight: 400\">When configuring the key in AWS or GCP, ensure it resides in the same region as the Capella cluster. Both cloud providers allow us to select the regionality of the key, which can be either <em>Single<\/em> or <em>Multi-Regional<\/em>.<\/span><\/p>\n<p><span style=\"font-weight: 400\">In AWS, if the key is <em>multi-region<\/em>, it is important to have at least one key replica in the same region as the Capella cluster. We must then associate this replica key&#8217;s ARN (Amazon Resource Name) with the Capella cluster.<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image9.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15389\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image9-1024x616.jpg\" alt=\"Configuring regionality of keys in Capella\" width=\"900\" height=\"541\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image9-1024x616.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image9-300x180.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image9-768x462.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image9.jpg 1310w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400\">In GCP, a <\/span><b>Global<\/b><span style=\"font-weight: 400\"> Key Ring will ensure the key is available in any GCP location. Do check <\/span><a href=\"https:\/\/cloud.google.com\/kms\/docs\/locations?hl=en&amp;_ga=2.91307482.-1591003540.1704397183#regional:\"><span style=\"font-weight: 400\">GCP\u2019s supported locations for Cloud KMS <\/span><\/a><span style=\"font-weight: 400\">and ensure that the Capella cluster\u2019s location matches the supported locations for KMS.<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image4.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15390\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image4-1024x910.jpg\" alt=\"Create a global key ring GCP\" width=\"900\" height=\"800\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image4-1024x910.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image4-300x267.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image4-768x683.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image4.jpg 1152w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<h3><span style=\"font-weight: 400\">Capella V4 Management API Setup<\/span><\/h3>\n<p><span style=\"font-weight: 400\">For the next steps in this tutorial, we will need access to execute V4 Management APIs in Capella. Follow <\/span><a href=\"https:\/\/www.couchbase.com\/blog\/programmatic-admin-capella-management-api\/\"><span style=\"font-weight: 400\">this blog<\/span><\/a><span style=\"font-weight: 400\"> to quickly get started with the V4 Management APIs.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Step 1: Making the Key Accessible to Capella<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Now that we have a CMEK successfully created in our self-managed cloud account, we need to ensure that Capella is able to use this key to encrypt\/decrypt data at rest.<\/span><\/p>\n<p><span style=\"font-weight: 400\">To provide this access, we must first capture Capella\u2019s corresponding cloud account ID, which is unique to each organization deployed in Capella.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Execute this V4 API to get the information:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">curl --request GET \\ https:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cloudAccounts&amp;nbsp; --header 'Authorization: Bearer &lt;V4 API Key Secret&gt;'<\/pre>\n<p><span style=\"font-weight: 400\">A sample response will look something like this &#8211;<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:js decode:true\">{\r\n \"aws-capella-account\": \"1234567890\",\r\n \"azure-capella-subscription\": \"cb-1234567890abcdef\",\r\n \"gcp-capella-project\": \"cb-1234567890abcdef\"\r\n}<\/pre>\n<p><span style=\"font-weight: 400\">Copy the corresponding cloud account ID. Ex: If your CMEK is located in AWS, copy the Capella AWS account ID. This also means you need to create a CMEK in the same cloud provider as your Capella cluster\u2019s cloud provider.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Updating the Key Access Policy<\/span><\/h3>\n<p><span style=\"font-weight: 400\">In AWS, add access to Capella by updating the CMEK\u2019s access policy as follows:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:js decode:true\">{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Sid\": \"Allow use of the key\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Allow\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Principal\": {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"AWS\": \"arn:aws:iam::&lt;capella-aws-account-id&gt;:root\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": [\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"kms:DescribeKey\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"kms:GenerateDataKeyWithoutPlainText\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"kms:Decrypt\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"kms:ReEncrypt*\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0],\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": \"*\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Sid\": \"Allow attachment of persistent resources\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Allow\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Principal\": {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"AWS\": \"arn:aws:iam::&lt;capella-aws-account-id&gt;:root\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": \"kms:CreateGrant\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": \"*\",\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Condition\": {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Bool\": {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"kms:GrantIsForAWSResource\": \"true\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/pre>\n<p><span style=\"font-weight: 400\">Replace <\/span><b>&lt;capella-aws-account-id&gt;<\/b><span style=\"font-weight: 400\"> placeholder with the value for <\/span><i><span style=\"font-weight: 400\">aws-capella-account<\/span><\/i><span style=\"font-weight: 400\"> from the API response.<\/span><\/p>\n<p><span style=\"font-weight: 400\">For GCP, simply grant <\/span><i><span style=\"font-weight: 400\">Cloud KMS CryptoKey Encrypter\/Decrypter<\/span><\/i><span style=\"font-weight: 400\"> permissions to Capella\u2019s Service account: <\/span><i><span style=\"font-weight: 400\">rc-cluster-admin@&lt;capella-gcp-project-id&gt;.iam.gserviceaccount.com<\/span><\/i><span style=\"font-weight: 400\">.<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image3.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15391\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image3-911x1024.jpg\" alt=\"Cloud KMS CryptoKey Encrypter\/Decrypter\" width=\"900\" height=\"1012\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image3-911x1024.jpg 911w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image3-267x300.jpg 267w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image3-768x863.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image3-300x337.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image3.jpg 1240w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<h2><span style=\"font-weight: 400\">Step 2: Informing Capella about the Key<\/span><\/h2>\n<p><span style=\"font-weight: 400\">In Step 1, we ensured that Capella was able to use the key to encrypt\/decrypt data at rest. In this step, we need to inform Capella that such a CMEK exists and that it can be used by clusters.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We will now add the CMEK metadata to our Capella organization:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">curl --request POST \\\r\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cmek \\\r\n\u00a0\u00a0--header 'Authorization: Bearer &lt;V4 API Key Secret&gt;' \\\r\n\u00a0\u00a0--header 'Content-Type: application\/json' \\\r\n\u00a0\u00a0--data '{\r\n\u00a0\u00a0\"name\": \"Test Key\",\r\n\u00a0\u00a0\"description\": \"Description of the Key\",\r\n\u00a0\u00a0\"config\": {\r\n\u00a0\u00a0\u00a0\u00a0\"arn\": \"arn:aws:kms:us-east-1:&lt;customer-owned-aws-account-id&gt;:key\/&lt;key-id&gt;\"\r\n\u00a0\u00a0}\r\n}'<\/pre>\n<p><span style=\"font-weight: 400\">Remember, here, the key config ARN is the ARN of the key, as seen in the customer-owned AWS account:<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15392\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image1-1024x179.jpg\" alt=\"the ARN of the key, as seen in the customer-owned AWS account\" width=\"900\" height=\"157\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image1-1024x179.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image1-300x52.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image1-768x134.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image1-1536x268.jpg 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image1-1320x230.jpg 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image1.jpg 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400\">For GCP, the API payload will accept the <em>resourceName<\/em> of the KMS key.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">curl --request POST \\\r\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cmek \\\r\n\u00a0\u00a0--header 'Authorization: Bearer &lt;V4 API Key Secret&gt;' \\\r\n\u00a0\u00a0--header 'Content-Type: application\/json' \\\r\n\u00a0\u00a0--data '{\r\n\u00a0\u00a0\"name\": \"Test Key\",\r\n\u00a0\u00a0\"description\": \"Description of the Key\",\r\n\u00a0\u00a0\"config\": {\r\n\u00a0\u00a0\u00a0\u00a0\"resourceName\": \"projects\/&lt;gcp-project-name&gt;\/locations\/global\/keyRings\/&lt;keyring-name&gt;\/cryptoKeys\/&lt;key-name&gt;\"\r\n\u00a0\u00a0}}'<\/pre>\n<p><span style=\"font-weight: 400\">This API will respond with a CMEK ID. Please note this ID as it will be used in subsequent API calls.<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image5.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15393\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image5-1024x213.jpg\" alt=\"\" width=\"900\" height=\"187\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image5-1024x213.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image5-300x62.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image5-768x160.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image5-1320x274.jpg 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image5.jpg 1510w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400\">Once the key is added to Capella, we can easily perform list, read, and delete key operations using the V4 APIs on this key. <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html#tag\/cmek\"><i><span style=\"font-weight: 400\">See this API specification for more details.<\/span><\/i><\/a><\/p>\n<p><i><span style=\"font-weight: 400\">Do note that Capella will only allow the deletion of the key if no cluster is actively associated with the key.<\/span><\/i><\/p>\n<h2><span style=\"font-weight: 400\">Step 3: Associating the Encryption Key with a Cluster<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Next, we want to use this CMEK to encrypt\/decrypt the data in one of our Capella clusters. To do this, note down the project ID and cluster ID of the particular cluster from the Capella UI.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Use this API to associate the CMEK with the said cluster. The <em>cmekId<\/em> is the ID received in Step 2 when the CMEK metadata was added to Capella:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">curl --request POST \\\r\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/projects\/{projectId}\/clusters\/{clusterId}\/cmek\/{cmekId}\/associate \\\r\n\u00a0--header 'Authorization: Bearer &lt;V4 API Key Secret&gt;'<\/pre>\n<p><span style=\"font-weight: 400\">Once this API is invoked, the cluster will be redeployed while Capella moves all the data to new persistent volumes. These volumes are newly created with the provided CMEK. This operation will result in a swap rebalance across all nodes of the cluster, without any downtime. The activity typically takes ~5-10 mins, depending on the data and cluster size.<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15394\" style=\"border: 1px solid black\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image2-1024x103.jpg\" alt=\"Associating the Encryption Key with a Cluster\" width=\"900\" height=\"91\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image2-1024x103.jpg 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image2-300x30.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image2-768x78.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image2-1536x155.jpg 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image2-1320x133.jpg 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image2.jpg 1999w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400\">Finally, we will see the cluster return to a healthy status and the CMEK associated with the cluster. We can find this information by making a <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html#tag\/clusters\/operation\/getCluster\"><span style=\"font-weight: 400\">GET cluster details API<\/span><\/a><span style=\"font-weight: 400\"> call.<\/span><\/p>\n<p><span style=\"font-weight: 400\">To unassociate the key from the cluster, simply execute this API:<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">curl --request POST \\\r\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/projects\/{projectId}\/clusters\/{clusterId}\/cmek\/{cmekId}\/unassociate \\\r\n\u00a0--header 'Authorization: Bearer &lt;V4 API Key Secret&gt;'<\/pre>\n<p><span style=\"font-weight: 400\">This will redeploy the cluster, remove the key, and use a new encryption key fully managed by Capella to encrypt the data at rest. This activity, too, results in a swap rebalance and takes a few minutes.<\/span><\/p>\n<h3><span style=\"font-weight: 400\">Associating the Key with a New Cluster<\/span><\/h3>\n<p><span style=\"font-weight: 400\">The key can be associated with a new cluster by executing the <\/span><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html#tag\/clusters\/operation\/postCluster\"><span style=\"font-weight: 400\">create cluster API<\/span><\/a><span style=\"font-weight: 400\"> and passing CMEK ID in the request payload as follows:<\/span><\/p>\n<p><a href=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image7.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-15395\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image7-779x1024.jpg\" alt=\"\" width=\"779\" height=\"1024\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image7-779x1024.jpg 779w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image7-228x300.jpg 228w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image7-768x1009.jpg 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image7-300x394.jpg 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image7.jpg 953w\" sizes=\"auto, (max-width: 779px) 100vw, 779px\" \/><\/a><\/p>\n<h2><span style=\"font-weight: 400\">Step 4: Rotating the Encryption Key<\/span><\/h2>\n<p><span style=\"font-weight: 400\">An important aspect of enhanced data security is to rotate the encryption key on a schedule. Capella allows you to inform about key rotations but cannot rotate the key itself. The rotation period can be decided as per your security governance policies.<\/span><\/p>\n<p><span style=\"font-weight: 400\">To do this, create a new CMEK in your cloud-native KMS account. Invoke the following API to inform Capella to update the key ARN or key resource name for the same CMEK ID that is associated with the Capella cluster(s).<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:js decode:true\">curl --request PUT \\\r\nhttps:\/\/cloudapi.cloud.couchbase.com\/v4\/organizations\/{organizationId}\/cmek\/{cmekId} \\\r\n\u00a0\u00a0--header 'Authorization: Bearer &lt;V4 API Key Secret&gt;' \\\r\n\u00a0\u00a0--header 'Content-Type: application\/json' \\\r\n\u00a0\u00a0--data '{\r\n\u00a0\u00a0\u00a0\"config\": {\r\n\u00a0\u00a0\u00a0\u00a0\"arn\": \"arn:aws:kms:us-east-1:&lt;customer-owned-aws-account-id&gt;:key\/&lt;key-id&gt;\"\r\n\u00a0\u00a0}\r\n}'<\/pre>\n<p><span style=\"font-weight: 400\">While AWS and GCP allow us to provide a rotation policy for the same key resource, due to restricted access, Capella cannot detect if the key was rotated automatically in your cloud account(s). Hence, the above key rotation API will only accept a key resource name different from the original key\u2019s resource name.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Once this API is invoked, Capella will automatically detect all clusters using the key with the said CMEK ID and perform a re-deployment to rotate the associated CMEK. Capella will remove the older key resource and associate the new key resource with the cluster\u2019s persistent volumes. This operation will also result in a swap-rebalance of the data across all nodes of the cluster(s), again without any downtime.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Finally, you will see that the clusters are back to a healthy state, and the new key resource is associated with the said CMEK ID.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Conclusion<\/span><\/h2>\n<p><span style=\"font-weight: 400\">This is how you can take control of your data security by using Customer-Managed Encryption Keys for all your Couchbase clusters in Capella.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Resources and Next Steps<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Check out these links on the V4 Management API reference and the detailed documentation for using Customer Managed Encryption Keys:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/docs.couchbase.com\/cloud\/management-api-reference\/index.html\"><span style=\"font-weight: 400\">Capella Management API Reference<\/span><\/a><\/li>\n<li style=\"font-weight: 400\"><a href=\"https:\/\/docs.couchbase.com\/cloud\/security\/cmek.html\"><span style=\"font-weight: 400\">Customer Managed Encryption Keys (CMEK) in Capella<\/span><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">If you have questions or feedback, please leave a comment below. The <\/span><a href=\"https:\/\/forums.couchbase.com\/\"><span style=\"font-weight: 400\">Couchbase Forums<\/span><\/a><span style=\"font-weight: 400\"> or <\/span><a href=\"https:\/\/discord.com\/invite\/K7NPMPGrPk\"><span style=\"font-weight: 400\">Couchbase Discord<\/span><\/a><span style=\"font-weight: 400\"> channels are another good place to reach out with questions.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Capella understands how important data security is to your business, especially when using cloud services. That&#8217;s why we&#8217;re excited to announce a new feature that lets you take control over your data protection: Customer-Managed Encryption Keys (CMEK). What is CMEK? [&hellip;]<\/p>\n","protected":false},"author":85129,"featured_media":15399,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1815,2225,1813],"tags":[9929],"ppma_author":[9931],"class_list":["post-15386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices-and-tutorials","category-cloud","category-security","tag-cmek"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.8 (Yoast SEO v25.8) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Customer-Managed Encryption Keys for AWS &amp; GCP in Capella<\/title>\n<meta name=\"description\" content=\"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unlocking Data Security: Customer-Managed Encryption Keys in Capella\" \/>\n<meta property=\"og:description\" content=\"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-07T16:25:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-15T15:34:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image_2024-03-07_100622853-1024x585.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Talina Shrotriya, Software Engineering Manager\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Talina Shrotriya, Software Engineering Manager\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\"},\"author\":{\"name\":\"Talina Shrotriya, Senior Engineering Manager\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/50c96ba341a92708507fcd493a0ecbb8\"},\"headline\":\"Unlocking Data Security: Customer-Managed Encryption Keys in Capella\",\"datePublished\":\"2024-03-07T16:25:23+00:00\",\"dateModified\":\"2024-03-15T15:34:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\"},\"wordCount\":1478,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png\",\"keywords\":[\"CMEK\"],\"articleSection\":[\"Best Practices and Tutorials\",\"Couchbase Capella\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\",\"name\":\"Customer-Managed Encryption Keys for AWS & GCP in Capella\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png\",\"datePublished\":\"2024-03-07T16:25:23+00:00\",\"dateModified\":\"2024-03-15T15:34:56+00:00\",\"description\":\"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png\",\"width\":2665,\"height\":1522},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.couchbase.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unlocking Data Security: Customer-Managed Encryption Keys in Capella\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/50c96ba341a92708507fcd493a0ecbb8\",\"name\":\"Talina Shrotriya, Senior Engineering Manager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/1a67340659be31a858a1d3e12e015b0e\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_092247517.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_092247517.png\",\"caption\":\"Talina Shrotriya, Senior Engineering Manager\"},\"url\":\"https:\/\/www.couchbase.com\/blog\/author\/talinashrotriya\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Customer-Managed Encryption Keys for AWS & GCP in Capella","description":"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","og_locale":"en_US","og_type":"article","og_title":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella","og_description":"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.","og_url":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","og_site_name":"The Couchbase Blog","article_published_time":"2024-03-07T16:25:23+00:00","article_modified_time":"2024-03-15T15:34:56+00:00","og_image":[{"width":1024,"height":585,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/03\/image_2024-03-07_100622853-1024x585.png","type":"image\/png"}],"author":"Talina Shrotriya, Software Engineering Manager","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Talina Shrotriya, Software Engineering Manager","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"},"author":{"name":"Talina Shrotriya, Senior Engineering Manager","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/50c96ba341a92708507fcd493a0ecbb8"},"headline":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella","datePublished":"2024-03-07T16:25:23+00:00","dateModified":"2024-03-15T15:34:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"},"wordCount":1478,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png","keywords":["CMEK"],"articleSection":["Best Practices and Tutorials","Couchbase Capella","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","url":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/","name":"Customer-Managed Encryption Keys for AWS & GCP in Capella","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png","datePublished":"2024-03-07T16:25:23+00:00","dateModified":"2024-03-15T15:34:56+00:00","description":"Take control of your data security by using customer-managed encryption keys for all your Couchbase clusters in Capella. Find a full tutorial and more info here.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_100622853.png","width":2665,"height":1522},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/data-security-customer-managed-encryption-keys-in-capella\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Unlocking Data Security: Customer-Managed Encryption Keys in Capella"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/50c96ba341a92708507fcd493a0ecbb8","name":"Talina Shrotriya, Senior Engineering Manager","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/1a67340659be31a858a1d3e12e015b0e","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_092247517.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_092247517.png","caption":"Talina Shrotriya, Senior Engineering Manager"},"url":"https:\/\/www.couchbase.com\/blog\/author\/talinashrotriya\/"}]}},"authors":[{"term_id":9931,"user_id":85129,"is_guest":0,"slug":"talinashrotriya","display_name":"Talina Shrotriya, Software Engineering Manager","avatar_url":{"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_092247517.png","url2x":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/03\/image_2024-03-07_092247517.png"},"author_category":"","last_name":"Shrotriya, Software Engineering Manager","first_name":"Talina","job_title":"","user_url":"","description":""}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/15386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/users\/85129"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/comments?post=15386"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/15386\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media\/15399"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media?parent=15386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/categories?post=15386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/tags?post=15386"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=15386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}