You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Customer-managed keys for encryption with Azure AI Foundry
20
20
21
-
Customer-managed key (CMK) encryption in [Azure AI Foundry](https://ai.azure.com/?cid=learnDocs) provides enhanced control over the encryption of your data. By using CMKs, you can manage your own encryption keys to add an extra layer of protection and meet compliance requirements more effectively.
21
+
Customer-managed key (CMK) encryption in [Azure AI Foundry](https://ai.azure.com/?cid=learnDocs) provides enhanced control over the encryption of your data. By using CMK, you can manage your own encryption keys to add an extra layer of protection and meet compliance requirements more effectively.
22
22
23
23
## About encryption in Azure AI Foundry
24
24
25
25
Azure AI Foundry is a service in the Azure cloud. By default, Azure services use Microsoft-managed encryption keys to encrypt data in transit and at rest.
26
26
27
27
::: zone pivot="hub-project"
28
28
29
-
When you use hub-based projects, the Azure AI hub resource acts as a gateway to multiple Azure services, including Azure AI hub, Azure Storage, and Azure AI Foundry resources. You must configure CMK encryption on each of these services to use CMK encryption throughout with Azure AI Foundry.
29
+
When you use hub-based projects, the Azure AI Hub resource acts as a gateway to multiple Azure services, including Azure AI Hub, Azure Storage, and Azure AI Foundry resources. You must configure CMK encryption on each of these services to use CMK encryption throughout with Azure AI Foundry.
30
30
31
-
* Azure AI hub resources and [!INCLUDE [hub](../includes/hub-project-name.md)] resources are implementations of the Azure Machine Learning workspace and encrypt data in transit and at rest. For more information, see [Data encryption with Azure Machine Learning](../../machine-learning/concept-data-encryption.md).
31
+
* Azure AI Hub resources and [!INCLUDE [hub](../includes/hub-project-name.md)] resources are implementations of the Azure Machine Learning workspace and encrypt data in transit and at rest. For more information, see [Data encryption with Azure Machine Learning](../../machine-learning/concept-data-encryption.md).
32
32
* Azure AI Foundry resources data is encrypted and decrypted by using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2)-compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, which means that encryption and access are managed for you. Your data is secure by default, and you don't need to modify your code or applications to take advantage of encryption.
33
33
* Azure Storage accounts are used to store uploaded data when you use the Azure AI Foundry portal and tools. For more information on how to set up CMK encryption, see [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview).
34
34
@@ -44,16 +44,16 @@ On your Azure AI Foundry resource, data is encrypted and decrypted by using [FIP
44
44
> If you [connect Azure AI Foundry with other Azure tools](../how-to/connections-add.md), we recommend that you configure CMK encryption on every other Azure resource to optimize security.
45
45
46
46
::: zone pivot="hub-project"
47
-
## Data storage options with Azure AI hub CMK encryption
47
+
## Data storage options with Azure AI Hub CMK encryption
48
48
49
-
Two architecture options are available when you use CMKs with Azure AI hubs:
49
+
Two architecture options are available when you use CMKs with Azure AI Hub:
50
50
51
51
***(Recommended) Encrypted data is stored in a Microsoft subscription**
52
52
53
53
Data is stored service side on Microsoft-managed resources instead of in managed resources in your subscription. Metadata is stored in multitenant resources by using document-level CMK encryption. An Azure AI Search instance is hosted in the Microsoft-subscription per customer, for each hub, to provide data isolation of encrypted data. We recommend that you use this option for any new deployments.
54
54
***(Legacy) Encrypted data is stored in your subscription**
55
55
56
-
Traditionally, on the Machine Learning platform (on which the Azure AI hub resource is built), data is stored in your subscription by using a Microsoft-managed resource group. The group includes an Azure Storage account, an Azure Cosmos DB resource, and Azure AI Search. You can't modify the configuration of these resources because the changes aren't supported.
56
+
Traditionally, on the Machine Learning platform (on which the Azure AI Hub resource is built), data is stored in your subscription by using a Microsoft-managed resource group. The group includes an Azure Storage account, an Azure Cosmos DB resource, and Azure AI Search. You can't modify the configuration of these resources because the changes aren't supported.
57
57
58
58
> [!IMPORTANT]
59
59
> This option is available for backward compatibility. We don't recommend it for new workloads.
@@ -112,7 +112,7 @@ CMK encryption is configured via the Azure portal (or alternatively via infrastr
112
112
113
113
1. Create a new Azure resource in the Azure portal.
114
114
1. On the **Encryption** tab, select your encryption key.
115
-
1. For an Azure AI hub, select or clear **Use service-side encryption** to select your preferred data storage option. We recommend service-side encryption for any new workload.
115
+
1. For Azure AI Hub, select or clear **Use service-side encryption** to select your preferred data storage option. We recommend service-side encryption for any new workload.
116
116
117
117
:::image type="content" source="../../machine-learning/media/concept-customer-managed-keys/cmk-service-side-encryption.png" alt-text="Screenshot that shows the Encryption tab with the option for service-side encryption selected." lightbox="../../machine-learning/media/concept-customer-managed-keys/cmk-service-side-encryption.png":::
118
118
@@ -126,7 +126,7 @@ You can rotate a CMK in Key Vault according to your compliance policies. When th
126
126
127
127
***Same key vault requirement**: You can rotate encryption keys only to another key within the same Key Vault instance. Cross-vault key rotation isn't supported.
128
128
***Scope of rotation**: The new key must be compatible with the existing encryption configuration. Ensure that the new key is properly configured with the necessary access policies and permissions.
129
-
***Update from customer managed to Microsoft managed**: When an Azure AI Foundry resource or Azure AI hub is created, you can update from Microsoft-managed keys to CMKs. You can't switch back from CMKs to Microsoft-managed keys.
129
+
***Update from customer managed to Microsoft managed**: When an Azure AI Foundry resource or an Azure AI hub is created, you can update from Microsoft-managed keys to CMKs. You can't switch back from CMKs to Microsoft-managed keys.
*[Bicep sample for CMK encryption for an Azure AI Foundry resource](https://github.com/azure-ai-foundry/foundry-samples/tree/main/samples/microsoft/infrastructure-setup/30-customer-managed-keys)
184
184
*[Bicep sample for CMK encryption for Azure an AI Foundry resource and agent service standard setup](https://github.com/azure-ai-foundry/foundry-samples/tree/main/samples/microsoft/infrastructure-setup/31-customer-managed-keys-standard-agent)
185
-
*[Bicep sample for CMK encryption for an Azure AI hub](https://github.com/azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-cmk-service-side-encryption).
185
+
*[Bicep sample for CMK encryption for Azure AI Hub](https://github.com/azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-cmk-service-side-encryption).
0 commit comments