You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/backup/encryption-at-rest-with-cmk-for-backup-vault.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,19 +47,19 @@ Before you enable encryption on a Backup vault, review the following requirement
47
47
48
48
### Known limitation
49
49
50
-
If you delete the key vault/MHSM key used for encryption settings, the delete Backup Vault operation will fail.
50
+
If you delete the key vault/MHSM key used for encryption settings, the delete Backup Vault operation might fail.
51
51
52
52
>[!Note]
53
-
>- Before performing the delete vault operation on a vault with encryption settings enabled, ensure that the encryption settings details, such as the managed identity, are attached to the vault and have the necessary permissions to access the key vault/MHSM key.
54
-
>- Also, ensure that the key vault/MHSM key (if used) exists. If the key is deleted, you can recover it from the soft deleted state. Learn about the [troubleshooting steps](#troubleshoot-operation-errors-for-encryption-settings).
53
+
>- Before performing the delete vault operation on a vault with encryption settings enabled, ensure that the encryption settings details, such as the managed identity, is attached to the vault and have the necessary permissions to access the key vault/MHSM key.
54
+
>- Also, ensure that the key vault/MHSM key exists. If the key is deleted, you can recover it from the soft deleted state. Learn about the [troubleshooting steps](#troubleshoot-operation-errors-for-encryption-settings).
55
55
56
56
## Considerations
57
57
58
58
Before you enable encryption on a Backup vault, review the following considerations:
59
59
60
60
- After you enable encryption by using CMKs for a Backup vault, you can't revert to using PMKs (the default). You can change the encryption keys or the managed identity to meet requirements.
61
61
62
-
-A CMK is applied on the Azure Backup storage vault and vault-archive tiers. It isn't applicable for the operational tier.
62
+
- CMK is applied on the Azure Backup storage vault and vault-archive tiers. It isn't applicable for the operational tier.
63
63
64
64
- Moving a CMK-encrypted Backup vault across resource groups and subscriptions isn't currently supported.
65
65
@@ -71,7 +71,7 @@ Before you enable encryption on a Backup vault, review the following considerati
71
71
72
72
- Encryption settings use the Azure Key Vault key and the Backup vault's managed identity details.
73
73
74
-
If the key or key vault that you're using is deleted or access is revoked and can't be restored, you'll lose access to the data stored in the Backup vault. Also, ensure that you have appropriate permissions to provide and update managed identity, Backup vault, and key vault details.
74
+
If the key or Key Vault that you're using is deleted or access is revoked and can't be restored, you'll lose access to the data stored in the Backup vault. Also, ensure that you have appropriate permissions to provide and update managed identity, Backup vault, and key vault details.
75
75
76
76
- Vaults that use user-assigned managed identities for CMK encryption don't support the use of private endpoints for Azure Backup.
77
77
@@ -99,15 +99,15 @@ To enable the encryption, follow these steps:
99
99
100
100
3. To specify the key to be used for encryption, select the appropriate option.
101
101
102
-
To enable autorotation of the encryption key used for the Backup vault, choose **Select from Key Vault**. Or run the version component from the key URI by selecting **Enter key URI**. [Learn more about autorotation](encryption-at-rest-with-cmk.md#enable-autorotation-of-encryption-keys).
102
+
To enable autorotation of the encryption key version used for the Backup vault, choose **Select from Key Vault**. Or remove the version component from the key URI by selecting **Enter key URI**. [Learn more about autorotation](encryption-at-rest-with-cmk.md#enable-autorotation-of-encryption-keys).
103
103
104
104
4. Provide the URI for the encryption key. You can also browse and select the key.
105
105
106
106
:::image type="content" source="./media/encryption-at-rest-with-cmk-for-backup-vault/add-key-uri.png" alt-text="Screenshot that shows the option for using a customer-managed key and encryption key details." lightbox="./media/encryption-at-rest-with-cmk-for-backup-vault/add-key-uri.png":::
107
107
108
108
5. Add the user-assigned managed identity to manage encryption with CMKs.
109
109
110
-
During the vault creation, only *user-assigned managed identities* can be used for CMK. To add CMK with system-assigned managed identity, update the vault properties after creating the vault.
110
+
During the vault creation, only *user-assigned managed identities* can be used for CMK. To use CMK with system-assigned managed identity, update the vault properties after creating the vault.
111
111
6. To enable encryption on the backup storage infrastructure, select **Infrastructure Encryption**.
112
112
113
113
You can enable this only on a new vault during the encryption using Customer-Managed Keys (CMK).
0 commit comments