You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/mysql/flexible-server/concepts-customer-managed-key.md
+17-5Lines changed: 17 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,13 +16,16 @@ ms.topic: conceptual
16
16
17
17
With data encryption with customer-managed keys for Azure Database for MySQL flexible server, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. With customer managed keys (CMKs), the customer is responsible for and ultimately controls the key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys.
18
18
19
+
[!NOTE]
20
+
Azure Key Vault Managed HSM (Hardware Security Module) is currently supported for customer-managed keys for Azure Database for MySQL Flexible Server.
21
+
19
22
## Benefits
20
23
21
24
Data encryption with customer-managed keys for Azure Database for MySQL flexible server provides the following benefits:
22
25
23
26
- You fully control data access by the ability to remove the key and make the database inaccessible
24
27
- Full control over the key lifecycle, including rotation of the key to aligning with corporate policies
25
-
- Central management and organization of keys in Azure Key Vault
28
+
- Central management and organization of keys in Azure Key Vault or Managed HSM
26
29
- Ability to implement separation of duties between security officers, DBA, and system administrators
27
30
28
31
## How does data encryption with a customer-managed key work?
@@ -38,6 +41,15 @@ The UMI must have the following access to the key vault:
38
41
-**Wrap Key**: To be able to encrypt the DEK. The encrypted DEK is stored in the Azure Database for MySQL flexible server instance.
39
42
-**Unwrap Key**: To be able to decrypt the DEK. Azure Database for MySQL flexible server needs the decrypted DEK to encrypt/decrypt the data.
40
43
44
+
If RBAC is enabled, the UMI must also be assigned the following role:
45
+
46
+
-**Key Vault Crypto Service Encryption User** or the role with the permissions:
47
+
- Microsoft.KeyVault/vaults/keys/wrap/action
48
+
- Microsoft.KeyVault/vaults/keys/unwrap/action
49
+
- Microsoft.KeyVault/vaults/keys/read like "Key Vault Crypto Service Encryption User"
50
+
- For Managed HSM, assign the **Managed HSM Crypto Service Encryption User** role
51
+
52
+
41
53
### Terminology and description
42
54
43
55
**Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that encrypts and decrypts a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key.
@@ -59,7 +71,7 @@ After logging is enabled, auditors can use Azure Monitor to review Key Vault aud
59
71
60
72
## Requirements for configuring data encryption for Azure Database for MySQL flexible server
61
73
62
-
Before you attempt to configure Key Vault, be sure to address the following requirements.
74
+
Before you attempt to configure Key Vault or Managed HSM, be sure to address the following requirements.
63
75
64
76
- The Key Vault and Azure Database for MySQL flexible server instance must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and flexible server interactions need to be supported. You'll need to reconfigure data encryption if you move Key Vault resources after performing the configuration.
65
77
- The Key Vault and Azure Database for MySQL flexible server instance must reside in the same region.
@@ -80,16 +92,16 @@ Before you attempt to configure the CMK, be sure to address the following requir
80
92
81
93
## Recommendations for configuring data encryption
82
94
83
-
As you configure Key Vault to use data encryption using a customer-managed key, keep in mind the following recommendations.
95
+
As you configure Key Vault or Managed HSM to use data encryption using a customer-managed key, keep in mind the following recommendations.
84
96
85
97
- Set a resource lock on Key Vault to control who can delete this critical resource and prevent accidental or unauthorized deletion.
86
98
- Enable auditing and reporting on all encryption keys. Key Vault provides logs that are easy to inject into other security information and event management tools. Azure Monitor Log Analytics is one example of a service that's already integrated.
87
99
- Keep a copy of the customer-managed key in a secure place or escrow it to the escrow service.
88
100
- If Key Vault generates the key, create a key backup before using the key for the first time. You can only restore the backup to Key Vault. For more information about the backup command, see [Backup-AzKeyVaultKey](/powershell/module/az.keyVault/backup-azkeyVaultkey).
89
101
90
102
> [!NOTE]
91
-
> * It is advised to use a key vault from the same region, but if necessary, you can use a key vault from another region by specifying the "enter key identifier" information.
92
-
> * RSA key stored in **Azure Key Vault Managed HSM**, is currently not supported.
103
+
> * It is advised to use a key vault from the same region, but if necessary, you can use a key vault from another region by specifying the "enter key identifier" information. The key vault managed HSM must be in the same region as the MySQL flexible server.
0 commit comments