Deploy Encryption Keys with Reis (Flag Mode)
Create and manage encryption keys directly from the command line using Reis flag-mode commands.
Create and manage encryption keys directly from the command line using Reis flag-mode commands.
Create an encryption key
reis encryption_key:create \
--name "Data Encryption Key" \
--handle data-enc-key \
--key_file ./keys/data.key.b64 \
--algorithm AES-256 \
--format base64The key file contains the raw key material (base64 or hex encoded). The handle must be DNS-1123 compliant (lowercase alphanumeric and hyphens, max 63 characters).
List encryption keys
reis encryption_key:listShows a table with handle, name, algorithm, key size, format, and creation date for each key.
Show details
reis encryption_key:show <key-id>Displays metadata including algorithm, key size, and format. The raw key is never displayed.
Rotate key material
reis encryption_key:rotate <key-id> \
--key_file ./keys/new-data.key.b64Creates a new version and marks it current. The previous version is retained for rollback. Algorithm and format remain unchanged.
List versions
reis encryption_key:versions <key-id>Activate a previous version (rollback)
reis encryption_key:activate_version <key-id> <version-number>Delete an encryption key
reis encryption_key:delete <key-id>Add --force to skip the confirmation prompt. Deleting removes all versions, project attachments, and container wiring.
Attach to a project
reis project:attach <project-id> encryption_keys data-enc-keySingular alias encryption_key is also accepted. The project-id is the UUID Reis returns from project:list or project:show.
Detach from a project
reis project:detach <project-id> encryption_keys data-enc-keyIf a running container still mounts the key, detach is rejected with a 409 naming the blocking container — tear it down (or remove its encryption_keys block) and retry.