You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. Verify the object is operational by performing a task, such as query an index that's been encrypted.
286
+
285
287
Once you create the encrypted object on the search service, you can use it as you would any other object of its type. Encryption is transparent to the user and developer.
286
288
287
289
None of these key vault details are considered secret and could be easily retrieved by browsing to the relevant Azure Key Vault page in Azure portal.
288
290
289
291
> [!Important]
290
292
> Encrypted content in Azure AI Search is configured to use a specific Azure Key Vault key with a specific *version*. If you change the key or version, the object must be updated to use it **before** you delete the previous one. Failing to do so renders the object unusable. You won't be able to decrypt the content if the key is lost.
291
293
294
+
## Step 5: Test encryption
295
+
296
+
To verify encryption is working, revoke the encryption key, query the index (it should be unusable), and then reinstate the encryption key.
297
+
298
+
Use the Azure portal for this task.
299
+
300
+
1. On the Azure Key Vault page, select **Objects** > **Keys**.
301
+
302
+
1. Select the key you just created, and then select **Delete**.
303
+
304
+
1. On the Azure AI Search page, select **Search management** > **Indexes**.
305
+
306
+
1. Select your index and use Search Explorer to run a query. You should get an error.
307
+
308
+
1. Return to the Azure Key Vault **Objects** > **Keys** page.
309
+
310
+
1. Select **Manage deleted keys**.
311
+
312
+
1. Select your key, and then select **Recover**.
313
+
314
+
1. Return to your index in Azure AI Search and rerun the query. You should see search results.
315
+
292
316
## Set up a policy to enforce CMK compliance
293
317
294
318
Azure policies help to enforce organizational standards and to assess compliance at-scale. Azure AI Search has an optional [built-in policy for service-wide CMK enforcement](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F76a56461-9dc0-40f0-82f5-2453283afa2f).
@@ -341,11 +365,13 @@ For performance reasons, the search service caches the key for up to several hou
341
365
342
366
With customer-managed key encryption, you might notice latency for both indexing and queries due to the extra encrypt/decrypt work. Azure AI Search doesn't log encryption activity, but you can monitor key access through key vault logging.
343
367
344
-
We recommend that you [enable logging](/azure/key-vault/general/logging) as part of key vault configuration.
368
+
We reommend that you [enable logging](/azure/key-vault/general/logging) as part of key vault configuration.
345
369
346
370
1.[Create a log analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
347
371
348
-
1.[Add a diagnostic setting in key vault](/azure/key-vault/general/howto-logging) that uses the workspace for data retention.
372
+
1.[Add a diagnostic setting in key vault](/azure/key-vault/general/howto-logging) that uses the workspace for data retention.
373
+
374
+
1. Select **audit** or **allLogs** for the category, give the diagnostic setting a name, and then save it.
349
375
350
376
## Python example of an encryption key configuration
0 commit comments