Creating keys

Creating KMS keys

Create KMS keys through the Thalassa Cloud API or console. Each key is scoped to an organisation and region, with optional project scope.

Platform-generated keys

Platform-generated keys are the default. Thalassa Cloud creates and protects the key material in the regional KMS backend.

Required fields

Field	Description
`name`	Human-readable name (immutable after create)
`keyType`	Cryptographic algorithm; see Key types

Optional fields

Field	Description
`description`	Purpose or owner notes (immutable after create)
`labels`	Key-value metadata for organisation (immutable after create)
`annotations`	Additional metadata (immutable after create)
`exportAllowed`	Whether key material can later be exported; cannot be enabled after create
`keyRotationEnabled`	Enable automatic rotation
`rotationPeriodInDays`	Rotation interval (1–3650 days); required when rotation is enabled

Example: create a key with automatic rotation

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Organisation-Identity: $ORG_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "secrets-encryption",
    "description": "Encrypts Secrets Manager values",
    "keyType": "aes256-gcm96",
    "keyRotationEnabled": true,
    "rotationPeriodInDays": 90
  }' \
  https://api.thalassa.cloud/v1/kms/nl-01/keys

Example: create a project-scoped key

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Organisation-Identity: $ORG_ID" \
  -H "X-Project-Identity: $PROJECT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "ci-signing",
    "keyType": "ed25519"
  }' \
  https://api.thalassa.cloud/v1/kms/nl-01/keys

Create-time decisions

Export allowance

Set exportAllowed: true only when regulatory or migration requirements demand exporting raw key material. Export is a highly sensitive break-glass operation. See Export and public keys.

Default to exportAllowed: false (or omit the field) for production keys.

Automatic rotation

Enable rotation at create time with keyRotationEnabled and rotationPeriodInDays. You can also configure or update rotation later via PATCH …/rotation. See Rotation for version behaviour and billing impact.

Each rotation creates a new key version. Existing ciphertext remains decryptable without re-encryption.

Bring your own key

To import externally generated key material instead of using platform-generated keys, see Bring your own key (BYOK).

List and retrieve keys

List keys in a region:

GET /v1/kms/{region}/keys

Get a specific key by identity or slug:

GET /v1/kms/{region}/keys/{identity}

Filter list results with query parameters:

Parameter	Description
`identity`	Filter by key identity
`name`	Filter by name
`slug`	Filter by slug

List and get responses include version metadata: latestVersion, versions[], and minDecryptionVersion.

Errors

HTTP status	Typical cause
`403`	KMS not enabled for your organisation
`404`	Region not found, or insufficient IAM (masked as not found)
`409`	Duplicate key slug in the org/region/project scope
`503`	KMS not available in the target region

See FAQ for additional troubleshooting.

Key types Bring your own key