You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cosmos-db/how-to-setup-customer-managed-keys.md
+25-27Lines changed: 25 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -84,62 +84,60 @@ The necessary permissions must be given for allowing Cosmos DB to use your encry
84
84
85
85
## <aid="add-roles"></a> Adding the roles to your Azure Key Vault instance
86
86
87
-
1. From the Azure portal, go to the Azure Key Vault instance that you plan to use to host your encryption keys. Select **Access control (IAM)** from the left menu and select **Grant access to this resource.**:
87
+
1. From the Azure portal, go to the Azure Key Vault instance that you plan to use to host your encryption keys. Select **Access control (IAM)** from the left menu and select **Grant access to this resource**.
88
88
89
89
:::image type="content" source="media/how-to-setup-customer-managed-keys/navigation-access-control.png" alt-text="Screenshot of the Access control option in the resource navigation menu.":::
:::image type="content" source="media/how-to-setup-customer-managed-keys/access-control-grant-access.png" alt-text="Screenshot of the Grant access to this resource option on the Access control page.":::
93
92
94
-
1. Search the **“Key Vault Administrator role”** and assign it to yourself. This is done by first searching the role name from the list and then clicking on the **“Members”** tab. Once on the tab, select the “User, group or service principal” option from the radio and then look up your Azure account. Once the account has been selected, the role can be assigned.
93
+
1. Search the **“Key Vault Administrator role”** and assign it to yourself. This is done by first searching the role name from the list and then clicking on the **“Members”** tab. Once on the tab, select the “User, group or service principal” option from the radio and then look up your Azure account. Once the account has been selected, the role can be assigned.
:::image type="content" source="media/how-to-setup-customer-managed-keys/search-key-vault-admin-role.png" alt-text="Screenshot of the Key vault administrator role in the search results.":::
:::image type="content" source="media/how-to-setup-customer-managed-keys/access-control-assign-role.png" alt-text="Screenshot of a role assignment on the Access control page.":::
99
98
100
-
1. Then, the necessary permissions must be assigned to Cosmos DB’s principal. So, like the last role assignment, go to the assignment page but this time look for the **“Key Vault Crypto Service Encryption User”** role and on the members tab look for Cosmos DB’s principal.
99
+
1. Then, the necessary permissions must be assigned to Cosmos DB’s principal. So, like the last role assignment, go to the assignment page but this time look for the **“Key Vault Crypto Service Encryption User”** role and on the members tab look for Cosmos DB’s principal. To find the principal, search for **Azure Cosmos DB** principal and select it (to make it easier to find, you can also search by application ID: `a232010e-820c-4083-83bb-3ace5fc29d0b`.
101
100
102
-
For this, search for **Azure Cosmos DB** principal and select it (to make it easier to find, you can also search by application ID: a232010e-820c-4083-83bb-3ace5fc29d0b for any Azure region except Azure Government regions where the application ID is 57506a73-e302-42a9-b869-6f12d9ec29e9).
101
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/assign-permission-principal.png" alt-text="Screenshot of the Azure Cosmos DB principal being assigned to a permission.":::
103
102
104
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-assign-permissions.png" alt-text="Assign permission Cosmos DB principal":::
105
-
106
-
Select Review + assign and the role will be assigned to Cosmos DB.
103
+
> [!IMPORTANT]
104
+
> In the Azure Government region, the application ID is `57506a73-e302-42a9-b869-6f12d9ec29e9`.
107
105
106
+
1. Select Review + assign and the role will be assigned to Cosmos DB.
108
107
109
108
## <aid="confirming-roles-have-been-set-correctly"></a> Confirming that the roles have been set correctly
110
109
111
-
Once the roles have been assigned, please click on the **“View access to this resource”** card on the Access Control IAM page to verify that everything has been set correctly.
112
-
113
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-view-access-to-resource.png" alt-text="View access to resource":::
110
+
1. Once the roles have been assigned, select **“View access to this resource”** on the Access Control IAM page to verify that everything has been set correctly.
114
111
115
-
Once in the page, set the scope to **“this resource”** and verify that you have the Key Vault Administrator role, and the Cosmos DB principal has the Key Vault Crypto Encryption User role.
112
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/access-control-view-access-resource.png" alt-text="Screenshot of the View access to resource option on the Access control page.":::
116
113
117
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-set-scope-to-this-resource.png" alt-text="Set scope to this resource":::
114
+
1. On the page, set the scope to **“this resource”** and verify that you have the Key Vault Administrator role, and the Cosmos DB principal has the Key Vault Crypto Encryption User role.
118
115
116
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/role-assignment-set-scope.png" alt-text="Screenshot of the scope adjustment option for a role assignment query.":::
119
117
120
118
## Generate a key in Azure Key Vault
121
119
122
120
1. From the Azure portal, go the Azure Key Vault instance that you plan to use to host your encryption keys. Then, select **Keys** from the left menu:
123
121
124
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-keys.png" alt-text="Keys entry from the left menu":::
122
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/navigation-keys.png" alt-text="Screenshot of the Keys option in the resource navigation menu.":::
125
123
126
124
1. Select **Generate/Import**, provide a name for the new key, and select an RSA key size. A minimum of 3072 is recommended for best security. Then select **Create**:
127
125
128
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-gen.png" alt-text="Create a new key":::
126
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/new-customer-managed-key.png" alt-text="Screenshot of the dialog to create a new key.":::
129
127
130
128
1. After the key is created, select the newly created key and then its current version.
131
129
132
130
1. Copy the key's **Key Identifier**, except the part after the last forward slash:
133
131
134
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-keyid.png" alt-text="Copying the key's key identifier":::
132
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/key-identifier.png" alt-text="Screenshot of the keyidentifier field and the copy action.":::
135
133
136
134
## <aid="create-a-new-azure-cosmos-account"></a>Create a new Azure Cosmos DB account
137
135
138
136
### Using the Azure portal
139
137
140
138
When you create a new Azure Cosmos DB account from the Azure portal, choose **Customer-managed key** in the **Encryption** step. In the **Key URI** field, paste the URI/key identifier of the Azure Key Vault key that you copied from the previous step:
141
139
142
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-cosmos-enc.png" alt-text="Setting CMK parameters in the Azure portal":::
140
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/configure-custom-managed-key-uri.png" alt-text="Screenshot of the Encryption page with a custom-managed key URI configured.":::
143
141
144
142
### <aid="using-powershell"></a> Using Azure PowerShell
145
143
@@ -467,15 +465,15 @@ Rotating the customer-managed key used by your Azure Cosmos DB account can be do
467
465
468
466
- Create a new version of the key currently used from Azure Key Vault:
469
467
470
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-rot.png" alt-text="Screenshot of the New Version option in the Versions page of the Azure portal.":::
468
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/new-version.png" alt-text="Screenshot of the New Version option in the Versions page of the Azure portal.":::
471
469
472
470
- Swap the key currently used with a different one by updating the key URI on your account. From the Azure portal, go to your Azure Cosmos DB account and select **Data Encryption** from the left menu:
473
471
474
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-data-encryption.png" alt-text="Screenshot of the Data Encryption menu option in the Azure portal.":::
472
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/navigation-data-encryption.png" alt-text="Screenshot of the Data Encryption option on the resource navigation menu.":::
475
473
476
474
Then, replace the **Key URI** with the new key you want to use and select **Save**:
477
475
478
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-key-swap.png" alt-text="Screenshot of the Save option in the Key page of the Azure portal.":::
476
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/save-key-change.png" alt-text="Screenshot of the Save option on the Key page.":::
479
477
480
478
Here's how to do achieve the same result in PowerShell:
481
479
@@ -542,7 +540,7 @@ Not currently, but container-level keys are being considered.
542
540
543
541
From the Azure portal, go to your Azure Cosmos DB account and watch for the **Data Encryption** entry in the left menu; if this entry exists, customer-managed keys are enabled on your account:
544
542
545
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-data-encryption.png" alt-text="The Data Encryption menu entry":::
543
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/navigation-data-encryption.png" alt-text="Screenshot of the Data encryption option in the resource navigation menu.":::
546
544
547
545
You can also programmatically fetch the details of your Azure Cosmos DB account and look for the presence of the `keyVaultKeyUri` property. See above for ways to do that [in PowerShell](#using-powershell) and [using the Azure CLI](#using-azure-cli).
548
546
@@ -569,17 +567,17 @@ The following conditions are necessary to successfully perform a point-in-time r
569
567
570
568
Key revocation is done by disabling the latest version of the key:
571
569
572
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-rev2.png" alt-text="Disable a key's version":::
570
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/revoke-key.png" alt-text="Screenshot of a disabled custom key version.":::
573
571
574
572
Alternatively, to revoke all keys from an Azure Key Vault instance, you can delete the access policy granted to the Azure Cosmos DB principal:
575
573
576
-
:::image type="content" source="media/how-to-setup-customer-managed-keys/portal-akv-rev.png" alt-text="Deleting the access policy for the Azure Cosmos DB principal":::
574
+
:::image type="content" source="media/how-to-setup-customer-managed-keys/remove-access-policy.png" alt-text="Screenshot of the Delete option for an access policy.":::
577
575
578
576
### What operations are available after a customer-managed key is revoked?
579
577
580
578
The only operation possible when the encryption key has been revoked is account deletion.
581
579
582
580
## Next steps
583
581
584
-
- Learn more about [data encryption in Azure Cosmos DB](./database-encryption-at-rest.md).
582
+
- Learn more about [data encryption in Azure Cosmos DB](database-encryption-at-rest.md).
585
583
- Get an overview of [secure access to data in Azure Cosmos DB](secure-access-to-data.md).
0 commit comments