You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-customer-managed-keys.md
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,9 +8,9 @@ ms.custom:
8
8
9
9
# Encryption using customer-managed keys
10
10
11
-
When you store images and other artifacts in an Azure container registry, Azure automatically encrypts the registry content at rest with [service-managed keys](../security/fundamentals/encryption-atrest.md#data-encryption-models). You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. This article walks you through the steps using the Azure CLI and the Azure portal.
11
+
When you store images and other artifacts in an Azure container registry, Azure automatically encrypts the registry content at rest with [service-managed keys](../security/fundamentals/encryption-atrest.md#data-encryption-models). You can supplement default encryption with an additional encryption layer using a key that you create and manages in Azure Key Vault. This article walks you through the steps using the Azure CLI and the Azure portal.
12
12
13
-
Server-side encryption with customer-managed keys is supported through integration with [Azure Key Vault](../key-vault/key-vault-overview.md). You can create your own encryption keys and store them in a key vault, or you can use Azure Key Vault's APIs to generate encryption keys. With Azure Key Vault, you can also audit key usage.
13
+
Server-side encryption with customer-managed keys is supported through integration with [Azure Key Vault](../key-vault/key-vault-overview.md). You can create your own encryption keys and store them in a key vault, or use Azure Key Vault's APIs to generate encryption keys. With Azure Key Vault, you can also audit key usage.
14
14
15
15
This feature is available in the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry SKUs](container-registry-skus.md).
16
16
@@ -384,6 +384,11 @@ az keyvault delete-policy \
384
384
385
385
Revoking the key effectively blocks access to all registry data, since the registry can't access the encryption key. If access to the key is enabled or the deleted key is restored, your registry will pick the key so you can again access the encrypted registry data.
386
386
387
+
## Advanced scenarios
388
+
389
+
* **System-assigned identity** - You can use a registry's system-assigned managed identity to access the key vault for encryption keys. To use the system-assigned identity, you must first enable both a user-assigned identity and the system-assigned identity when creating the registry. Then, configure the system-assigned identity with key vault access. Then, update the registry's encryption key to use the system-assigned identity.
390
+
* **Key Vault firewall** - If your Azure key vault is deployed in a virtual network with a Key Vault firewall, you must configure the key vault to allow access by any [trusted service](../key-vault/key-vault-overview-vnet-service-endpoints.md#trusted-services). See [Configure Azure Key Vault firewalls and virtual networks](../key-vault/key-vault-network-security.md). In this case, key vault access for registry encryption is only possible with a registry's system-assigned identity.
391
+
387
392
## Next steps
388
393
389
394
* Learn more about [encryption at rest in Azure](../security/fundamentals/encryption-atrest.md).
Copy file name to clipboardExpand all lines: articles/key-vault/key-vault-overview-vnet-service-endpoints.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,6 +73,7 @@ Here's a list of trusted services that are allowed to access a key vault if the
73
73
|Azure Event Hubs|[Allow access to a key vault for customer-managed keys scenario](https://docs.microsoft.com/azure/event-hubs/configure-customer-managed-key)|
74
74
|Azure Service Bus|[Allow access to a key vault for customer-managed keys scenario](https://docs.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key)|
75
75
|Azure Import/Export| [Use customer-managed keys in Azure Key Vault for Import/Export service](https://docs.microsoft.com/azure/storage/common/storage-import-export-encryption-key-portal)
76
+
|Azure Container Registry|[Registry encryption using customer-managed keys](../container-registry/container-registry-customer-managed-keys.md)
76
77
77
78
> [!NOTE]
78
79
> You must set up the relevant Key Vault access policies to allow the corresponding services to get access to Key Vault.
0 commit comments