Deploy Encryption Keys with Terraform

An encryption key stores a symmetric key (e.g. AES-256) in the Bahriya vault. Encryption keys are scoped to your organisation, versioned with rotation history, and can be attached to projects and containers.

Required fields

Read-only fields

Example

resource "bahriya_encryption_key" "data_key" {
  handle    = "data-enc-key"
  name      = "Data Encryption Key"
  key       = file("${path.module}/keys/data.key.b64")
  algorithm = "AES-256"
  format    = "base64"
}

Attach it to a project so it deploys to the project's regions:

resource "bahriya_project" "production" {
  handle  = "production"
  name    = "Production"
  regions = ["helsinki-1", "falkenstein-1"]
}
 
resource "bahriya_project_encryption_key_attachment" "data_key" {
  project_id = bahriya_project.production.id
  handle     = bahriya_encryption_key.data_key.handle
}

Then mount it on a container — the raw key material lands as a file in mountpath:

resource "bahriya_container" "encryptor" {
  # ... other fields ...
 
  encryption_keys = [
    {
      handle    = bahriya_encryption_key.data_key.handle
      mountpath = "/etc/bahriya/enc"
    },
  ]
}

Encryption keys are file-only — there is no environment-variable injection mode (the raw bytes would be unsafe to expose via env).

Rotation

To rotate key material, update the key field in your Terraform config and run terraform apply. The Bahriya API creates a new version and marks it current. Previous versions are retained for rollback (default: last 5). Algorithm and format remain unchanged.

After rotation, file-mounted containers pick up the new key automatically within about 60 seconds. No manual redeploy is needed for file-mounted keys.

Importing an existing key

terraform import bahriya_encryption_key.data_key <uuid>

Pricing

Encryption keys are billed at $0.02 per month while they exist in your organisation, plus $0.02 per region per month when attached to a project.