scaleway
diff --git a/‎faq/key-manager.mdx‎
Lines changed: 69 additions & 0 deletions b/‎faq/key-manager.mdx‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx‎
Lines changed: 79 additions & 0 deletions b/‎identity-and-access-management/key-manager/api-cli/create-dek-api-cli.mdx‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎identity-and-access-management/key-manager/api-cli/index.mdx‎
Lines changed: 8 additions & 0 deletions b/‎identity-and-access-management/key-manager/api-cli/index.mdx‎
Lines changed: 8 additions & 0 deletions
@@ -0,0 +1,69 @@
+---
+meta:
+  title: Key Manager FAQ
+  description: Explore Scaleway Key Manager with our comprehensive FAQ covering security, key types, and more.
+content:
+  h1: Key Manager
+dates:
+  validation: 2024-12-09
+category: identity-and-access-management
+productIcon: KeyManagerProductIcon
+---
+
+## Why should you use Scaleway Key Manager?
+
+Key Manager helps organizations achieve secure key management by handling low-level and error-prone cryptographic details for you.
+
+
+## What features does Scaleway Key Manager include?
+
+Scaleway Key Manager allows you to create, manage and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys.
+
+## Which management methods can I use with Key Manager?
+
+Key Manager allows you to create and manage the complete lifecycle of a key. Below are all the ways you can use Key Manager to manage your data.
+
+### Create a key:
+
+You must specify a **key usage**, which defines the **purpose of the key** (encryption, signing, etc.) and which **cryptographic algorithm** will be used to derive the key. Upon key creation, a first key version is also automatically created.
+
+### Retrieve a key:
+
+Retrieving a key **only returns the metadata associated with the key**. The key versions will not be returned when retrieving a key.
+
+### List keys:
+
+You can retrieve a subset of your keys according to filters such as "name", "description", "tags", etc.
+
+### Update a key:
+
+You can update the key's name, description or tags at any time.
+
+### Enable and disable key protection:
+
+**Enabling key protection prevents any accidental deletion of a key**. You must disable key protection before deleting a key to which key protection is applied.
+
+### Rotate a key:
+
+Rotating a key **creates a new key version and makes all previous versions obsolete**.
+
+### Delete a key:
+
+Deleting a key also **deletes all its versions**.
+
+
+## Which cryptographic operations does Key Manager support?
+
+At the moment, Scaleway's Key Manager supports the three following cryptographic operations.
+
+| Encryption                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Decryption                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Data encryption key generation                                                                                                                                                                                                                                                                                                                             |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Encrypt data using the latest version of the Key Manager key. The encryption algorithm used is the one defined when setting the key usage.  Only keys with a usage set to `symmetric_encryption` are supported by this method. The input data is arbitrary, but this endpoint should only be used only to encrypt data encryption keys, not actual payloads. [Find out how to encrypt and decrypt payloads using The Scaleway Tink provider](/identity-and-access-management/key-manager/api-cli/manage-keys-with-tink) | This operation lets you decrypt an encrypted payload. **The only way to decrypt an encrypted payload is by using the `Decrypt` endpoint. Since key versions never leave Key Manager, there is no other way to decrypt data outside Key Manager.**  A payload encrypted with an older key version can still be decrypted. In this case, for convenience, the payload encrypted with the latest key version will be returned, along with the decrypted payload. | Generate a symmetric [data encryption key](/identity-and-access-management/key-manager/concepts/#data-encryption-key-(dek)) (DEK) that can be used outside Key Manager to encrypt and decrypt payloads. This DEK is encrypted with a key encryption key, specified by the caller.  **The management of the DEK is the responsibility of the caller. The DEK should be stored safely and have the same lifecycle as the payload it encrypts.** |
+
+## Which algorithms and key usage does Key Manager support?
+
+Key Manager **only supports symmetric encryption as of yet**.
+
+Keys with a [key usage](/identity-and-access-management/key-manager/concepts/#key-usage) set to `symmetric_encryption` are **used to encrypt and decrypt data**.
+
+Key Manager currently **only supports the `AES-256-GCM` key algorithm**. Refer to our [dedicated documentation](/identity-and-access-management/key-manager/reference-content/understanding-key-manager/) to find out which parameters (in compliance with the [recommendations of ANSSI](https://cyber.gouv.fr/publications/mecanismes-cryptographiques)) are used when creating and using a key with the `AES-256 GCM` [symmetric encryption](/identity-and-access-management/key-manager/concepts/#symmetric-encryption) algorithm.
@@ -0,0 +1,79 @@
+---
+meta:
+  title: Create a data encryption key using the Scaleway API and the Scaleway CLI
+  description: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI.
+content:
+  h1: Create a data encryption key using the Scaleway API and the Scaleway CLI
+  paragraph: Discover how to create a data encryption key using the Scaleway API and the Scaleway CLI.
+tags: key-management dek data-encryption-key cli sdk api encryption
+categories:
+  - identity-and-access-management
+dates:
+  validation: 2024-12-09
+  posted: 2024-12-09
+---
+
+<Macro id="requirements" />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- Created a key encryption key either from the [Scaleway console](/identity-and-access-management/key-manager/how-to/create-km-key) or the [Key Manager API](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-create-a-key)
+- Retrieved your key encryption key's ID
+- Created an [API key](/identity-and-access-management/iam/how-to/create-api-keys/)
+- Downloaded and configured the [Scaleway CLI](https://github.com/scaleway/scaleway-cli?tab=readme-ov-file#getting-started)
+
+## Generate a DEK using the Scaleway CLI
+
+1. Open a terminal and paste the following commands to export your environment variables. Make sure that you replace the placeholder values with your own.
+        ```bash
+        export SCW_ACCESS_KEY=<SCALEWAY_API_ACCESS_KEY>
+        export SCW_SECRET_KEY=<SCALEWAY_API_SECRET_KEY>
+        export SCW_DEFAULT_ORGANIZATION_ID=<SCALEWAY_ORGANIZATION_ID>
+        export SCW_PROJECT_ID=<SCALEWAY_PROJECT_ID>
+        export SCW_DEFAULT_REGION="fr-par"
+        export SCW_API_URL="https://api.scaleway.com"
+        ```
+
+2. Paste the following command to generate a data encryption key via the Scaleway CLI. Make sure that you replace `<your_kek_id>` with the ID of your key encryption key.
+        ```bash
+        scw keymanager key generate-data-key key-id=<your_kek_id> algorithm=aes_256_gcm
+        ```
+
+An output similar to the following should display:
+        ```bash
+        KeyID       <kek_id>
+        Algorithm   <algorithm_used_to_encrypt_your_key>
+        Ciphertext  <your_base64_encrypted_dek>
+        Plaintext   <your_base64_decrypted_dek>
+        CreatedAt   <creation_date>
+        ```
+
+
+## Generate a DEK using the API
+
+Paste the following command to create your data encryption key via the Key Manager API. Make sure that you replace the placeholder values with your own.
+        ```bash
+        curl --location 'https://api.scaleway.com/key-manager/v1alpha1/regions/fr-par/keys/<your_key_id>/generate-data-key' \
+        --header 'Content-Type: application/json' \
+        --header 'X-Auth-Token: <your_secret_key>' \
+        --data '{
+            "algorithm": "aes_256_gcm"
+        }'
+        ```
+
+Key Manager also supports the `GenerateDataKey` request without a plaintext operation, which only returns an encrypted data encryption key.
+
+If you need to use your DEK, you can decrypt it using the [Decrypt data operation](https://www.scaleway.com/en/developers/api/key-manager/#path-keys-decrypt-data) specifying the `kek_id` parameter used to encrypt it.
+
+Key Manager **does not allow the use of data encryption keys for data encryption**.
+
+However, you can use the DEK independently from Key Manager, for example with the [Tink extension](/encrypt-decrypt-dek-/#encrypt-and-decrypt-data-with-tink-and-key-manager) or with [OpenSSL](/encrypt-decrypt-dek/#manually-encrypt-and-decrypt-data-with-a-key-manager-dek).
+
+
+!!! info
+
+    The way the KEK is generated, its length, and the encryption algorithm used, **cannot be changed or customized after creation**.
+
+    However, unlike the KEK, you have the flexibility to choose any encryption algorithm (cipher) you prefer for encrypting and decrypting your data with the DEK. You are not restricted to a specific encryption method for the data itself.
+
+    **We highly recommend that you use standard and well-established ciphers (and the proper mode), as well as a library like Tink, that chooses the right cryptosystem according to your use-case.**
@@ -0,0 +1,8 @@
+---
+meta:
+  title: Key Manager - API/CLI Documentation
+  description: Key Manager API/CLI Documentation
+content:
+  h1: API/CLI Documentation
+  paragraph: Key Manager API/CLI Documentation
+---