|
| 1 | +--- |
| 2 | +title: Create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys using Azure Portal |
| 3 | +description: Create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys using Azure Portal |
| 4 | +author: gennadNY |
| 5 | +ms.author: gennadyk |
| 6 | +ms.service: postgresql |
| 7 | +ms.subservice: flexible-server |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 12/12/2022 |
| 10 | +--- |
| 11 | +# Create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys (CMK) using Azure portal |
| 12 | + |
| 13 | +[!INCLUDE [applies-to-postgresql-flexible-server](../includes/applies-to-postgresql-flexible-server.md)] |
| 14 | + |
| 15 | +In this article, you learn how to create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys using Azure portal. To learn more about Customer Managed Keys (CMK) feature with Azure Database for PostgreSQL - Flexible Server, see the [overview](concepts-data-encryption.md). |
| 16 | + |
| 17 | +## Setup Customer Managed Key during Server Creation |
| 18 | +Prerequisites: |
| 19 | + |
| 20 | +- Azure Active Directory (Azure AD) user managed identity in region where Postgres Flex Server will be created. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity. |
| 21 | + |
| 22 | +- Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key. Follow [requirements section in concepts doc](concepts-data-encryption.md) for required Azure Key Vault settings |
| 23 | + |
| 24 | +Follow the steps below to enable CMK while creating Postgres Flexible Server using Azure portal. |
| 25 | + |
| 26 | +1. Navigate to Azure Database for PostgreSQL - Flexible Server create pane via Azure portal |
| 27 | + |
| 28 | +2. Provide required information on Basics and Networking tabs |
| 29 | + |
| 30 | +3. Navigate to Security(preview) tab. On the screen, provide Azure Active Directory (Azure AD) identity that has access to the Key Vault and Key in Key Vault in the same region where you're creating this server |
| 31 | + |
| 32 | +4. On Review Summary tab, make sure that you provided correct information in Security section and press Create button |
| 33 | + |
| 34 | +5. Once it's finished, you should be able to navigate to Data Encryption (preview) screen for the server and update identity or key if necessary |
| 35 | + |
| 36 | +## Update Customer Managed Key on the CMK enabled Flexible Server |
| 37 | + |
| 38 | +Prerequisites: |
| 39 | + |
| 40 | +- Azure Active Directory (Azure AD) user-managed identity in region where Postgres Flex Server will be created. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity. |
| 41 | + |
| 42 | +- Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key. |
| 43 | + |
| 44 | +Follow the steps below to update CMK on CMK enabled Flexible Server using Azure portal: |
| 45 | + |
| 46 | +1. Navigate to Azure Database for PostgreSQL - Flexible Server create a page via the Azure portal. |
| 47 | + |
| 48 | +2. Navigate to Data Encryption (preview) screen under Security tab |
| 49 | + |
| 50 | +3. Select different identity to connect to Azure Key Vault, remembering that this identity needs to have proper access rights to the Key Vault |
| 51 | + |
| 52 | +4. Select different key by choosing subscription, Key Vault and key from dropdowns provided. |
| 53 | + |
| 54 | +## Next steps |
| 55 | + |
| 56 | +- [Manage an Azure Database for PostgreSQL - Flexible Server by using Azure portal](how-to-manage-server-portal.md) |
0 commit comments