By default, the following data is stored encrypted in the hybrid
runtime plane:
Key management system (KMS) data
Key-value map (KVM) data
Cache data
Data encryption does not require any special configuration on your part. However, if
for some reason you want to use your own encryption keys (replacing the default ones) you can
do so, as explained in this topic.
Encryption key scope
Encryption keys for KMS, KVM, and cache have scope. For example, KMS keys have organization
scope. This means that the key is used to encrypt KMS data for the entire organization.
The following table lists the scope for
each type of key:
Encryption key
Scope
KMS
Organization only
KVM
Organization or environment
If a KVM policy
specifies apiproxy or policy
(API proxy revision) scope, the organization
level key is used to encrypt the data. For a general overview of how KVMs are used in Apigee
Edge, see Working with key-value maps.
Cache
Environment only
About the default encryption keys
By default, Apigee hybrid provides a set of Base64-encoded keys that are used to
encrypt KVM, KMS, and cache data. The Apigee hybrid installer stores the keys in the
runtime plane as
Kubernetes
Secrets, and uses them to encrypt your data with AES-128 standard encryption.
The keys are under your control;
the hybrid management plane is never aware of them at any time.
Changing the default encryption keys
Although not required, you can change any of the default encryption keys if you wish.
To replace one or more default keys, follow these steps:
Copy the following stanzas into your overrides file.
This configuration lets you change the KMS and KVM encryption keys
for the organization level and the KVM and cache encryption keys for the environment level:
Generate a new key for each key you wish to replace. Each
key must be a Base64-encoded string that is exactly 16, 24, or 32 bytes long.
See also How to create an encoded
key.
Replace the default keys with new ones. In this example, all of the default keys are
replaced with keys:
If you were to remove the encryption keys in your overrides file the first
time you install Apigee hybrid, you would
effectively disable encryption and values would be stored unencrypted.
If at a later
time you enable encryption by providing keys,
exiting data remains unencrypted; however, any future data that is added will
be encrypted. The system
will continue working normally with the unencrypted data and the new encrypted
data.
Also, note that
you cannot later change the encryption keys
once the runtime data is encrypted.
How to create an encoded key
A properly formatted Base-64-encoded key is required for KVM, KMS, and cache encryption.
The key used for any of these purposes must be Base-64 encoded from a string that is 16, 24, or
32 bytes long, as explained in the following steps:
The following example commands generate suitable, randomly generated, 32 character,
Base64-encoded strings that do not include non-printable characters:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation is for version 1.2 of Apigee hybrid, which is end-of-life and should be upgraded to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eApigee hybrid encrypts Key Management System (KMS), Key-Value Map (KVM), and cache data by default, without requiring any special configuration.\u003c/p\u003e\n"],["\u003cp\u003eEncryption keys for KMS, KVM, and cache data have different scopes, with KMS keys having organization scope, KVM keys having either organization or environment scope, and cache keys having environment scope.\u003c/p\u003e\n"],["\u003cp\u003eYou can replace the default encryption keys with your own during the initial installation of Apigee hybrid, but changing them after data encryption is not possible.\u003c/p\u003e\n"],["\u003cp\u003eTo change default keys, you have to generate a Base64-encoded string of 16, 24, or 32 bytes long and include it in the override files, and removing the encryption key in your overrides file will result in unencrypted data.\u003c/p\u003e\n"]]],[],null,["# Data encryption\n\n| You are currently viewing version 1.2 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nBy default, the following data is stored *encrypted* in the hybrid\nruntime plane:\n\n- Key management system (KMS) data\n- Key-value map (KVM) data\n- Cache data\n\n\nData encryption does not require any special configuration on your part. However, if\nfor some reason you want to use your own encryption keys (replacing the default ones) you can\ndo so, as explained in this topic.\n\nEncryption key scope\n--------------------\n\n\nEncryption keys for KMS, KVM, and cache have scope. For example, KMS keys have *organization*\nscope. This means that the key is used to encrypt KMS data for the entire organization.\nThe following table lists the scope for\neach type of key:\n\nAbout the default encryption keys\n---------------------------------\n\n\nBy default, Apigee hybrid provides a set of Base64-encoded keys that are used to\nencrypt KVM, KMS, and cache data. The Apigee hybrid installer stores the keys in the\nruntime plane as\n[Kubernetes\nSecrets](https://kubernetes.io/docs/concepts/configuration/secret/), and uses them to encrypt your data with AES-128 standard encryption.\nThe keys are under your control;\nthe hybrid management plane is never aware of them at any time.\n| The default keys will work for most use cases. If you want to change the default encryption keys, do so when you initially install Apigee hybrid into a new cluster. You cannot later change the encryption keys once the runtime data is encrypted.\n\nChanging the default encryption keys\n------------------------------------\n\n\nAlthough not required, you can change any of the default encryption keys if you wish.\nTo replace one or more default keys, follow these steps:\n\n1. Copy the following stanzas into your overrides file. This configuration lets you change the KMS and KVM encryption keys for the organization level and the KVM and cache encryption keys for the environment level: \n\n ```\n defaults:\n org:\n kmsEncryptionKey: base64-encoded-key\n kvmEncryptionKey: base64-encoded-key\n env:\n kvmEncryptionKey: base64-encoded-key\n cacheEncryptionKey: base64-encoded-key\n ```\n2. Generate a new key for each key you wish to replace. Each key must be a Base64-encoded string that is exactly **16, 24, or 32 bytes long** . See also [How to create an encoded\n key](#how-to-create-an-encoded-key).\n3. Replace the default keys with new ones. In this example, all of the default keys are replaced with keys: \n\n ```\n defaults:\n org:\n kmsEncryptionKey: \"JVpTb1FwI0otUHo2RUdRN3pnVyQqVGlMSEFAJXYmb1c=\"\n kvmEncryptionKey: \"T3VkRGM1U3cpOFgtNk9fMnNZU2NaSVA3I1BtZWxkaUU=\"\n env:\n kvmEncryptionKey: \"Q3h6M3R6OWdBeipxTURfKjQwQVdtTng2dU5mODFHcyE=\"\n cacheEncryptionKey: \"b2NTVXdKKjBzN0NORF9XSm9tWFlYKGJ6NUhpNystJVI=\"\n ```\n4. Apply the overrides file to your cluster.\n\nA note about backward compatibility\n-----------------------------------\n\n\nIf you were to remove the encryption keys in your overrides file the first\ntime you install Apigee hybrid, you would\neffectively disable encryption and values would be stored unencrypted.\nIf at a later\ntime you enable encryption by providing keys,\nexiting data remains unencrypted; however, any future data that is added will\nbe encrypted. The system\nwill continue working normally with the unencrypted data and the new encrypted\ndata.\n\n\nAlso, note that\nyou cannot later change the encryption keys\nonce the runtime data is encrypted.\n\nHow to create an encoded key\n----------------------------\n\n| NOTE: You must generate your key from ASCII characters. Apigee hybrid does not support using non-printable characters, such as characters generated using the openssl random command.\n\n\nA properly formatted Base-64-encoded key is required for KVM, KMS, and cache encryption.\nThe key used for any of these purposes must be Base-64 encoded from a string that is 16, 24, or\n32 bytes long, as explained in the following steps:\n| The key string length requirement exists because the [Advanced\n| Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) (AES) cipher works on a block size of 128 bits, but can take three different key lengths: 128, 192, and 256 bits (16, 24, or 32 bytes).\n\n\nThe following example commands generate suitable, randomly generated, 32 character,\nBase64-encoded strings that do not include non-printable characters: \n\n```\nLC_ALL=C tr -dc A-Za-z0-9_\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\\\-+= \u003c /dev/urandom | head -c 32 | openssl base64\nPSFvX0BPc1Z2NVklcXdxcF8xR0N4MV4temFveStITU4=\n```\n\n\nor \n\n```\nLC_ALL=C tr -dc \"[:print:]\" \u003c /dev/urandom | head -c 32 | openssl base64\n```"]]
