You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/platform/customer-managed-keys.md
+3-13Lines changed: 3 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -90,9 +90,7 @@ The following rules apply:
90
90
- The AEK is used to derive DEKs, which are the keys that are used to
91
91
encrypt each block of data written to disk.
92
92
93
-
- When you configure your key in Key Vault and reference it in the
94
-
*Cluster* resource, Azure Storage wraps the AEK with your KEK in
95
-
Azure Key Vault.
93
+
- When you configure your key in Key Vault and reference it in the *Cluster* resource, the Azure Storage sends requests to your Azure Key Vault to wrap and unwrap the AEK to perform data encryption and decryption operations.
96
94
97
95
- Your KEK never leaves your Key Vault and in the case of an HSM key,
98
96
it never leaves the hardware.
@@ -101,10 +99,6 @@ The following rules apply:
101
99
*Cluster* resource to authenticate and access to Azure Key Vault via
102
100
Azure Active Directory.
103
101
104
-
- For read/write operations, Azure Storage sends requests to Azure Key
105
-
Vault to wrap and unwrap the AEK to perform encryption
106
-
and decryption operations.
107
-
108
102
## CMK provisioning procedure
109
103
110
104
For Application Insights CMK configuration, follow the Appendix content for steps 3 and 6.
@@ -403,12 +397,8 @@ encryption key and once accessed, data ingestion and query resume within
403
397
404
398
## CMK (KEK) rotation
405
399
406
-
Rotation of CMK requires explicit update of the *Cluster* resource with
407
-
the new Azure Key Vault Key version. To update Azure Monitor with your
408
-
new key version, follow the instructions in "Update *Cluster* resource
409
-
with *Key identifier* details" step.
410
-
411
-
If you update your key in Key Vault and don't update the new *Key identifier* details in the *Cluster* resource*, Azure Monitor Storage will keep using your previous key.
400
+
Rotation of CMK requires explicit update of the *Cluster* resource with the new key version in Azure Key Vault. To update Azure Monitor with your new key version, follow the instructions in "Update *Cluster* resource with Key identifier details" step. If you update your key version in Key Vault and don't update the new Key identifier details in the *Cluster* resource, Azure Monitor Storage will keep using your previous key.
401
+
All your data is accessible after the key rotation operation including data ingested before the rotation and after it, since all data remains encrypted by the Account Encryption Key (AEK) while it’s now being encrypted by your new Key Encryption Key (KEK) version.
0 commit comments