How to check if an encryption key (CMK) is attached to an existing Heroku Postgres database?


I'm trying to find out if the Heroku Postgres database created on my app is encrypted with a Customer Master Key (CMK) using AWS KMS.


Heroku Postgres allows functionality to use AWS Key Management Service (KMS) to create a Customer Master Key (CMK) at the time of add-on creation for encryption in Private and Shield Spaces. More details here:

If a Heroku Postgres was created with an encryption key, an additional option Customer Encryption Key can be seen in the output of the command heroku pg:info:

Customer Encryption Key: arn:aws:kms:<region>-<az>-x:xxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

For all other Heroku Postgres databases created without this key, the above details are not available.

This should help in identifying if encryption was used while creating the addon.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support