Setting up Encryption at Rest for your Managed Databases with the Scaleway API

Encryption at rest allows you to permanently encrypt your database data. The data is encrypted at volume level using LUKS. The management of the encryption key is done by Scaleway.

The feature can be activated upon Database Instance creation via the console and the API, or after creation exclusively through the API with the upgrade endpoint.

Creating a Database Instance with encryption at rest

1. Edit the POST request payload you will use to create your Database Instance. Make sure you include the encryption parameter and set the enabled attribute to true.

   Note

   In all examples below the UUIDs, passwords and IP addresses displayed are not real. For more details about the parameters shown, refer to the Managed Databases for PostgreSQL and MySQL API documentation

   '{
     "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
     "name": "myDB",
     "engine": "PostgreSQL-15",
     "tags": ["foo", "bar"],
     "is_ha_cluster": true,
     "node_type": "db-pro2-xxs",
     "disable_backup": false,
     "user_name": "my_initial_user",
     "password": "thiZ_is_v0ry_s3cret",
     "volume_type": "sbs_5k",
     "volume_size": "30000000000",
     "encryption": {
       "enabled": true
       }
     }'

2. Create a Database Instance by running the following command. Make sure you include the payload you edited in the previous step.

   curl -X POST \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     "Content-Type: application/json" \
     https://api.scaleway.com/rdb/v1/regions/$SCW_REGION/instances \
     -d '{
       "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
       "name": "myDB",
       "engine": "PostgreSQL-15",
       "tags": ["foo", "bar"],
       "is_ha_cluster": true,
       "node_type": "db-pro2-xxs",
       "disable_backup": false,
       "user_name": "my_initial_user",
       "password": "thiZ_is_v0ry_s3cret",
       "volume_type": "sbs_5k",
       "volume_size": "30000000000",
       "encryption": {
       "enabled": true
       }
     }'

   You should get a response like the following confirming that the Database Instance was created, and encryption at rest is enabled.

   {
         "id": "f5122f66-fb50-4cef-aa02-487ef4fc1af0",
         "name": "myDB",
         "organization_id": "895693aa-3915-4896-8761-c2923b008be7",
         "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
         "status": "ready",
         "engine": "PostgreSQL-15",
         "endpoint": {
           "ip": "198.51.100.0",
           "port": 22245,
           "name": null
         },
         "tags": [
           "foo",
           "bar"
         ],
         "settings": [],
         "backup_schedule": {
           "frequency": 24,
           "retention": 7,
           "disabled": true
         },
         "is_ha_cluster": true,
         "read_replicas": [],
         "node_type": "db-pro2-xxs",
         "volume": {
           "type": "sbs_5k",
           "size": 30000000000
         },
         "encryption": {
           "enabled": true
           },
         "created_at": "2019-04-19T16:24:52.591417Z",
         "region": "fr-par"
   }

Enabling encryption at rest in an existing Database Instance

To enable encryption at rest after a Database Instance has already been created, you can use the upgrade endpoint of the Managed Databases API.

Run the following command. Make sure you replace the instance_id in the endpoint, and the enable_encryption parameter set to true

curl -X POST \
    -H "X-Auth-Token: $SCW_SECRET_KEY" \
    -H "Content-Type: application/json" \
    -d '{
          "enable_encryption": true
        }' \
    "https://api.scaleway.com/rdb/v1/regions/fr-par/instances/{instance_id}/upgrade"

If the operation is successful, you see an output containing all the details of your Database Instance, including "encryption":{"enabled":true}.