Encryption Keys
An encryption key stores a symmetric encryption key (for example an AES-256 key) in the Bahriya vault. The raw key material is encrypted at rest and delivered to your containers as a single file.
An encryption key stores a symmetric encryption key (for example an AES-256 key) in the Bahriya vault. The raw key material is encrypted at rest and delivered to your containers as a single file.
When to use an encryption key
- Your application encrypts or decrypts data at the application layer using a symmetric key
- You need a shared secret key across multiple containers or regions
- A service requires a pre-shared key for envelope encryption, data-at-rest encryption, or token signing
- You want to rotate encryption keys without redeploying your application
What Bahriya stores
When you upload an encryption key, Bahriya validates it and stores metadata alongside the encrypted material:
| Field | Description |
|---|---|
| Algorithm | The algorithm you declared (AES-128, AES-256, ChaCha20, etc.) |
| Key Size | Computed automatically from the decoded key length (in bits) |
| Format | How the key is encoded: base64, hex, or raw |
The raw key is never shown back in the console, API responses, or CLI output.
Mounting in containers
When you attach an encryption key to a container, you choose a mount path. The key file appears as:
<mount-path>/key # The raw key materialYour application reads it from this path. For example, a service might reference /etc/secrets/enc/key.
Rotation
Rotation creates a new version of the key. The previous version is retained for rollback. After rotation:
- File-mounted containers pick up the new key automatically within about 60 seconds. No manual action needed.
- If you need to force a restart, use the Redeploy button on the Consumers panel.
- Algorithm and format do not change on rotation -- only the key material is replaced.
Pricing
Encryption keys are billed at $0.02 per month while they exist, plus $0.02 per region per month when attached to a project.