You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/data-factory/quickstart-enable-customer-managed-key.md
+18-17Lines changed: 18 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Encrypt Data Factory with Customer Managed Key (CMK)
2
+
title: Encrypt Azure Data Factory with customer-managed key
3
3
description: Enhance Data Factory security with Bring Your Own Key (BYOK)
4
4
services: data-factory
5
5
documentationcenter: ''
@@ -19,13 +19,14 @@ Azure Data Factory encrypts data at rest, including entity definitions, any data
19
19
20
20
Azure Key Vault is required to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. Key vault and Data Factory must be in the same Azure Active Directory (Azure AD) tenant and in the same region, but they may be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../key-vault/general/overview.md)
21
21
22
-
[!NOTE] For now, customer-managed key can only be configured on an empty Data Factory: no linked service, no pipeline, no data sets, nothing. Consider enable customer-managed key right after factory creation.
22
+
[!NOTE]
23
+
For now, customer-managed key can only be configured on an empty Data Factory: no linked service, no pipeline, no data sets, nothing. Consider enable customer-managed key right after factory creation.
23
24
24
25
## About Customer-Managed Keys
25
26
26
27
The following diagram shows how Data Factory uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:
27
28
28
-
29
+
29
30
30
31
The following list explains the numbered steps in the diagram:
31
32
@@ -44,49 +45,49 @@ Using customer-managed keys with Data Factory requires two properties to be set
44
45
-[How to use soft-delete with PowerShell](../key-vault/general/soft-delete-powershell.md)
45
46
-[How to use soft-delete with CLI](../key-vault/general/soft-delete-cli.md)
46
47
47
-
If you are creating a new Azure Key Vault through Azure Portal, __Soft Delete__ and __Do Not Purge__ can be enabled as follows:
48
+
If you are creating a new Azure Key Vault through Azure portal, __Soft Delete__ and __Do Not Purge__ can be enabled as follows:
48
49
49
-
50
+
50
51
51
52
### Grant Data Factory Access to Key Vault
52
53
53
54
Make sure that Azure Key Vault and Azure Data Factory are in the same Azure Active Directory (Azure AD) tenant and in the _same region_. From Azure Key Vault access control, grant data factory's Managed Service Identity (MSI) following permissions: _Get_, _Unwrap Key_, and _Wrap Key_. These permissions are required to enable customer-managed keys in Data Factory.
54
55
55
-
56
+
56
57
57
58
### Generate or Upload customer-managed key to Key Vault
58
59
59
-
You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. Note that only 2048-bit RSA keys are supported with Data Factory encryption. For more information, see [About keys, secrets, and certificates](../key-vault/general/about-keys-secrets-certificates.md).
60
+
You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. Only 2048-bit RSA keys are supported with Data Factory encryption. For more information, see [About keys, secrets, and certificates](../key-vault/general/about-keys-secrets-certificates.md).
1. Ensure the Data Factory is empty: no linked service, no pipeline, and no data set, nothing. For now, deploying customer-managed key to a non-empty factory will result in an error.
66
67
67
-
2. To locate the key URI in the Azure portal, navigate to Azure Key Vault, and select the Keys setting. Select the wanted key, then click the key to view its versions. Select a key version to view the settings
68
+
1. To locate the key URI in the Azure portal, navigate to Azure Key Vault, and select the Keys setting. Select the wanted key, then click the key to view its versions. Select a key version to view the settings
68
69
69
-
3. Copy the value of the Key Identifier field, which provides the URI
70
+
1. Copy the value of the Key Identifier field, which provides the URI
70
71
71
-
72
+
72
73
73
-
4. Launch Azure Data Factory portal, and using the navigation bar on the left, jump to Data Factory Home Page
74
+
1. Launch Azure Data Factory portal, and using the navigation bar on the left, jump to Data Factory Home Page
74
75
75
-
5. Click on the __Customer manged key__ icon
76
+
1. Click on the __Customer manged key__ icon
76
77
77
-
78
+
78
79
79
-
6. Enter the URI for customer-managed key that you copied before
80
+
1. Enter the URI for customer-managed key that you copied before
80
81
81
-
7. Click __Save__ and customer-manged key encryption is enabled for Data Factory
82
+
1. Click __Save__ and customer-manged key encryption is enabled for Data Factory
82
83
83
84
## Update Key Version
84
85
85
86
When you create a new version of a key, update data factory to use the new version. Follow similar steps as described in section _Enable Customer-Managed Keys_, including:
86
87
87
88
1. Locate the URI for the new key version through Azure Key Vault Portal
0 commit comments