You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/ai-foundry/concepts/encryption-keys-portal.md
+4-7Lines changed: 4 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,6 +88,7 @@ You must use Azure Key Vault to store your customer-managed keys. You can either
88
88
- You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
89
89
- If you use the [Key Vault firewall](/azure/key-vault/general/access-behind-firewall), you must allow trusted Microsoft services to access the key vault.
90
90
- You must grant your [!INCLUDE [fdp](../includes/fdp-project-name.md)] system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
91
+
- Only RSA and RSA-HSM keys of size 2048 are supported. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
91
92
92
93
::: zone-end
93
94
@@ -99,12 +100,8 @@ To enable customer-managed keys, the key vault containing your keys must meet th
99
100
100
101
- You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
101
102
- If you use the [Key Vault firewall](/azure/key-vault/general/access-behind-firewall), you must allow trusted Microsoft services to access the key vault.
102
-
- You must grant your hub and Azure AI Services resource's system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
103
-
104
-
The following limitations hold for Azure AI Foundry:
105
-
- Only Azure Key Vault with [legacy access policies](/azure/key-vault/general/assign-access-policy) are supported.
106
-
- Only RSA and RSA-HSM keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
107
-
- Updates from Customer-Managed keys to Microsoft-managed keys are currently not supported for project sub-resources. Projects will keep referencing your encryption keys if updated.
103
+
- You must grant your hub and Azure AI Foundry resource's system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
104
+
- Only RSA and RSA-HSM keys of size 2048 are supported. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
108
105
109
106
### Enable your Azure AI Foundry resource's managed identity
110
107
@@ -188,7 +185,7 @@ How to Rotate Encryption Keys
188
185
## Limitations
189
186
190
187
* The customer-managed key for encryption can only be updated to keys in the same Azure Key Vault instance.
191
-
*After deployment, you can't switch from Customer-managed keys to Microsoft managed keys.
188
+
*While project sub-resources exist, you can't switch AI Foundry resources from Customer-managed keys to Microsoft managed keys.
192
189
*[Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required to use customer-managed keys in combination with Azure Speech and Content Moderator capabilities.
193
190
*[Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required for Speech and Content Moderator.
194
191
* If your AI Foundry resource is in a soft-deleted state, any additional Azure charges will continue to accrue during the soft delete retention period.
0 commit comments