In May 2020 as part of the Microsoft Build conference, few key announcements were made for Microsoft Azure service. In this blog post, I will be covering updates related to Customer-managed keys which were made GA for Azure service — CosmosDB and Azure Container Registry.
What is Customer-managed key?
By default, various resource providers in Azure implement encryption at Rest. Implementation of this encryption at Rest by default will be using Service-Managed keys which Microsoft manages internally. But in a few scenarios, users/customers want to control these keys that’s where the customer-managed key comes into the picture. Two Azure services which we are talking in this post now have this capability (GA).
Note: You must store customer-managed keys in Azure Key Vault
Customer-managed key for CosmosDB
Customer-managed keys enable users to take total control over the keys used by Azure Cosmos DB to encrypt their data at rest. With CosmosDB your data is always encrypted with service-managed-keys when you choose customer-managed-key it adds second layer encryption.
As mentioned above customer-managed keys need to be stored in the Azure Key Vault. As part of provisioning CosmosDB, customer-managed-key in the Encryption step is optional. Will be used only if the user wants to use their own keys for an additional layer of encryption.
No additional charge to enable customer-managed-key. With customer-managed-key, Request Units will see a slight increase to support an additional layer of encryption and decryption of your data.
If you relate to AWS, this feature is similar to DynamoDB using the AWS Key management service. How cool now we have a similar feature in Azure.
Things to know:
- Currently, customer-managed keys are available only for new Azure Cosmos accounts. You can configure only during CosmosDB provisioning.
- Customer-managed keys need to be stored in Azure Key Vault
Customer-managed key for Azure Container Registry (ACR)
Managed keys for Azure Container Registry are now available for new registries. By using your own key stored in an Azure Key Vault lets you encrypt your images and artifacts. When you use customer-managed-key its an additional encryption layer on top of service-managed-keys.
As mentioned above customer-managed keys need to be stored in the Azure Key Vault. This feature is available on the Premium container registry service tier
Things to know:
- Currently, customer-managed key can be enabled only when you create a new registry.
- Customer-managed keys need to be stored in Azure Key Vault
- After enabling customer-managed key it can’t be disabled
- If you have enabled customer-managed key, the content-trust feature is not supported on the registry.
Originally published at https://rajurh.blogspot.com on July 12, 2020.
