Settings

Queryable Encryption

The following DATABASES inner options support configuration of Key Management Service (KMS) credentials for Queryable Encryption.

KMS_CREDENTIALS

Default: {} (empty dictionary)

A dictionary of Key Management Service (KMS) credential key-value pairs. These credentials are required to access your KMS provider (such as AWS KMS, Azure Key Vault, or GCP KMS) for encrypting and decrypting data using Queryable Encryption.

For example after Configuring Queryable Encryption, to configure AWS KMS, Azure Key Vault, or GCP KMS credentials, you can set KMS_CREDENTIALS in your DATABASES settings as follows:

DATABASES["encrypted"]["KMS_CREDENTIALS"] = {
    "aws": {
        "key": os.getenv("AWS_KEY_ARN", ""),
        "region": os.getenv("AWS_KEY_REGION", ""),
    },
    "azure": {
        "key": os.getenv("AZURE_KEY_VAULT_URL", ""),
        "client_id": os.getenv("AZURE_CLIENT_ID", ""),
        "client_secret": os.getenv("AZURE_CLIENT_SECRET", ""),
    },
    "gcp": {
        "key": os.getenv("GCP_KEY_NAME", ""),
        "project_id": os.getenv("GCP_PROJECT_ID", ""),
    },
}