You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/load-testing/how-to-configure-customer-managed-keys.md
+24-15Lines changed: 24 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: load-testing
6
6
ms.service: load-testing
7
7
ms.author: ninallam
8
8
author: ninallam
9
-
ms.date: 05/09/2023
9
+
ms.date: 09/18/2023
10
10
ms.topic: how-to
11
11
---
12
12
@@ -16,6 +16,8 @@ Azure Load Testing automatically encrypts all data stored in your load testing r
16
16
17
17
The keys you provide are stored securely using [Azure Key Vault](../key-vault/general/overview.md). You can create a separate key for each Azure load testing resource you enable with customer-managed keys.
18
18
19
+
When you use customer-managed encryption keys, you need to specify a user-assigned managed identity to retrieve the keys from Azure Key Vault.
20
+
19
21
Azure Load Testing uses the customer-managed key to encrypt the following data in the load testing resource:
20
22
21
23
- Test script and configuration files
@@ -35,13 +37,15 @@ Azure Load Testing uses the customer-managed key to encrypt the following data i
35
37
36
38
- Customer-managed keys are only available for new Azure load testing resources. You should configure the key during resource creation.
37
39
38
-
- Azure Load Testing can't automatically rotate the customer-managed key to use the latest version of the encryption key. You should update the key URI in the resource after the key is rotated in the Azure Key Vault.
39
-
40
40
- Once customer-managed key encryption is enabled on a resource, it can't be disabled.
41
41
42
+
- Azure Load Testing can't automatically rotate the customer-managed key to use the latest version of the encryption key. You should update the key URI in the resource after the key is rotated in the Azure Key Vault.
43
+
42
44
## Configure your Azure key vault
43
45
44
-
To use customer-managed encryption keys with Azure Load Testing, you need to store the key in Azure Key Vault. You can use an existing or create a new key vault. The load testing resource and key vault may be in different regions or subscriptions in the same tenant.
46
+
To use customer-managed encryption keys with Azure Load Testing, you need to store the key in Azure Key Vault. You can use an existing key vault or create a new one. The load testing resource and key vault may be in different regions or subscriptions in the same tenant.
47
+
48
+
Make sure to configure the following key vault settings when you use customer-managed encryption keys.
Next, add a key to the key vault. Azure Load Testing encryption supports RSA keys. For more information about supported key types in Azure Key Vault, see [About keys](/azure/key-vault/keys/about-keys).
112
116
@@ -138,7 +142,7 @@ az keyvault key create \
138
142
139
143
## Add an access policy to your key vault
140
144
141
-
The user-assigned managed identity for accessing the customer-managed keys in Azure Key Vault must have appropriate permissions to access the key vault.
145
+
When you use customer-managed encryption keys, you have to specify a user-assigned managed identity. The user-assigned managed identity for accessing the customer-managed keys in Azure Key Vault must have appropriate permissions to access the key vault.
142
146
143
147
1. In the [Azure portal](https://portal.azure.com), go to the Azure key vault instance that you plan to use to host your encryption keys.
144
148
@@ -162,7 +166,9 @@ The user-assigned managed identity for accessing the customer-managed keys in Az
162
166
163
167
1. Select **Save** on the key vault instance to save all changes.
164
168
165
-
## Configure customer-managed keys for a new load testing resource
169
+
## Use customer-managed keys with Azure Load Testing
170
+
171
+
You can only configure customer-managed encryption keys when you create a new Azure load testing resource. When you specify the encryption key details, you also have to select a user-assigned managed identity to retrieve the key from Azure Key Vault.
166
172
167
173
To configure customer-managed keys for a new load testing resource, follow these steps:
168
174
@@ -275,7 +281,7 @@ az deployment group create --resource-group <resource-group-name> --template-fil
275
281
276
282
----
277
283
278
-
## Change the managed identity
284
+
## Change the managed identity for retrieving the encryption key
279
285
280
286
You can change the managed identity for customer-managed keys for an existing load testing resource at any time.
281
287
@@ -296,10 +302,10 @@ You can change the managed identity for customer-managed keys for an existing lo
296
302
297
303
:::image type="content" source="media/how-to-configure-customer-managed-keys/change-identity-existing-azure-load-testing-resource.png" alt-text="Screenshot that shows how to change the managed identity for customer managed keys on an existing Azure load testing resource.":::
298
304
299
-
> [!NOTE]
300
-
> The selected managed identity should have access granted on the Azure Key Vault.
305
+
> [!IMPORTANT]
306
+
> Make sure that the selected [managed identity has access to the Azure Key Vault](#add-an-access-policy-to-your-key-vault).
301
307
302
-
## Change the key
308
+
## Update the customer-managed encryption key
303
309
304
310
You can change the key that you're using for Azure Load Testing encryption at any time. To change the key with the Azure portal, follow these steps:
305
311
@@ -311,9 +317,12 @@ You can change the key that you're using for Azure Load Testing encryption at an
311
317
312
318
1. Save your changes.
313
319
314
-
## Key rotation
320
+
## Rotate encryption keys
321
+
322
+
You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. To rotate a key:
315
323
316
-
You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. To rotate a key, in Azure Key Vault, update the key version or create a new key. You can then update the load testing resource to [encrypt data using the new key URI](#change-the-key).
324
+
1. In Azure Key Vault, update the key version or create a new key.
325
+
1. [Update the customer-managed encryption key]((#update-the-customer-managed-encryption-key)) for your load testing resource.
317
326
318
327
## Frequently asked questions
319
328
@@ -337,7 +346,7 @@ You can revoke a key by disabling the latest version of the key in Azure Key Vau
337
346
338
347
When you revoke the encryption key you may be able to run tests for about 10 minutes, after which the only available operation is resource deletion. It's recommended to rotate the key instead of revoking it to manage resource security and retain your data.
339
348
340
-
## Next steps
349
+
## Related content
341
350
342
351
- Learn how to [Monitor server-side application metrics](./how-to-monitor-server-side-metrics.md).
343
-
- Learn how to [Parameterize a load test](./how-to-parameterize-load-tests.md).
352
+
- Learn how to [Parameterize a load test with secrets and environment variables](./how-to-parameterize-load-tests.md).
0 commit comments