You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/service-bus-messaging/configure-customer-managed-key.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,18 +13,18 @@ ms.author: aschhab
13
13
---
14
14
15
15
# Configure customer-managed keys for encrypting Azure Service Bus data at rest by using the Azure portal
16
-
Azure Service Bus provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). Service Bus relies on Azure Storage to store the data and by default, all the data that is stored with Azure Storage is encrypted using Microsoft-managed keys.
16
+
Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). Service Bus Premium relies on Azure Storage to store the data and by default, all the data that is stored with Azure Storage is encrypted using Microsoft-managed keys.
17
17
18
18
## Overview
19
19
Azure Service Bus now supports the option of encrypting data at rest with either Microsoft-managed keys or customer-managed keys (Bring Your Own Key - BYOK). this feature enables you to create, rotate, disable, and revoke access to the customer-managed keys that are used for encrypting Azure Service Bus at rest.
20
20
21
21
Enabling the BYOK feature is a one time setup process on your namespace.
22
22
23
23
> [!NOTE]
24
-
> The BYOK compatibility is supported by [Azure Service Bus Premium](service-bus-premium-messaging.md) tier. It cannot be enabled for standard tier Service Bus namespaces.
25
-
>
26
-
>
27
-
> If [Virtual network (VNet) service endpoints](service-bus-service-endpoints.md) are configured on Azure Key Vault for your Service Bus namespace, BYOK will not be supported.
24
+
> There are some caveats to the customer managed key for service side encryption.
25
+
>* This feature is supported by [Azure Service Bus Premium](service-bus-premium-messaging.md) tier. It cannot be enabled for standard tier Service Bus namespaces.
26
+
>* The encryption can only be enabled for new or empty namespaces. If the namespace contains data, then the encryption operation will fail.
27
+
> *If [Virtual network (VNet) service endpoints](service-bus-service-endpoints.md) are configured on Azure Key Vault for your Service Bus namespace, BYOK will not be supported.
28
28
29
29
You can use Azure Key Vault to manage your keys and audit your key usage. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. For more information about Azure Key Vault, see [What is Azure Key Vault?](../key-vault/key-vault-overview.md)
30
30
@@ -43,7 +43,7 @@ To enable customer-managed keys in the Azure portal, follow these steps:
After you enable customer-managed keys, you need to associate the customer managed key with your Azure Service Bus namespace. Service Bus supports only Azure Key Vault. If you enable the **Encryption with customer-managed key** option in the previous section, you need to have the key imported into Azure Key Vault. Also, the keys must have **Soft Delete** and **Do Not Purge** configured for the key. These settings can be configured using [PowerShell](../key-vault/key-vault-soft-delete-powershell.md) or [CLI](../key-vault/key-vault-soft-delete-cli.md#enabling-purge-protection).
49
49
@@ -77,19 +77,19 @@ After you enable customer-managed keys, you need to associate the customer manag
77
77
78
78
79
79
> [!IMPORTANT]
80
-
> If you are looking to use Customer managed key along with Geo diaster recovery, please review the below -
80
+
> If you are looking to use Customer managed key along with Geo disaster recovery, please review the below -
81
81
>
82
-
> To enable encryption at rest with customer managed key, an [access policy](../key-vault/key-vault-secure-your-key-vault.md) is setup for the Service Bus' managed identity on the specified Azure KeyVault. This ensures controlled access to the Azure KeyVault from the Azure Service Bus namespace.
82
+
> To enable encryption at rest with customer managed key, an [access policy](../key-vault/key-vault-secure-your-key-vault.md) is set up for the Service Bus' managed identity on the specified Azure KeyVault. This ensures controlled access to the Azure KeyVault from the Azure Service Bus namespace.
83
83
>
84
-
> Due to this,
84
+
> Due to this:
85
85
>
86
86
> * If [Geo disaster recovery](service-bus-geo-dr.md) is already enabled for the Service Bus namespace and you are looking to enable customer managed key, then
87
87
> * Break the pairing
88
88
> * [Set up the access policy](../key-vault/managed-identity.md) for the managed identity for both the primary and secondary namespaces to the key vault.
89
-
> * Setup encryption on the primary namespace.
89
+
> * Set up encryption on the primary namespace.
90
90
> * Re-pair the primary and secondary namespaces.
91
91
>
92
-
> * If you are looking to enable Geo-DR on a Service Bus namespace where customer managed key is already setup, then -
92
+
> * If you are looking to enable Geo-DR on a Service Bus namespace where customer managed key is already set up, then -
93
93
> * [Set up the access policy](../key-vault/managed-identity.md) for the managed identity for the secondary namespace to the key vault.
0 commit comments