Merge pull request #247954 from b-ahibbard/anf-cmk-managed-hsm

Court72 · web-flow · commit 53a25d8b6900 · 2024-08-09T09:57:34.000-06:00
Anf cmk managed hsm
diff --git a/articles/azure-netapp-files/TOC.yml b/articles/azure-netapp-files/TOC.yml
@@ -313,6 +313,8 @@
         href: configure-network-features.md
       - name: Configure customer-managed keys 
         href: configure-customer-managed-keys.md
+      - name: Configure customer-managed keys with managed HSM
+        href: configure-customer-managed-keys-hardware.md
       - name: Configure Virtual WAN
         href: configure-virtual-wan.md
     - name: Mount volumes
diff --git a/articles/azure-netapp-files/configure-customer-managed-keys-hardware.md b/articles/azure-netapp-files/configure-customer-managed-keys-hardware.md
@@ -0,0 +1,127 @@
+---
+title: Configure customer-managed keys with managed Hardware Security Module for Azure NetApp Files volume encryption 
+description: Learn how to encrypt data in Azure NetApp Files with customer-managed keys using the Hardware Security Module
+services: azure-netapp-files
+documentationcenter: ''
+author: b-ahibbard
+manager: ''
+editor: ''
+
+ms.assetid:
+ms.service: azure-netapp-files
+ms.workload: storage
+ms.tgt_pltfrm: na
+ms.topic: how-to
+ms.custom: references_regions
+ms.date: 08/08/2024
+ms.author: anfdocs
+---
+# Configure customer-managed keys with managed Hardware Security Module for Azure NetApp Files volume encryption 
+
+Azure NetApp Files volume encryption with customer-managed keys with the managed Hardware Security Module (HSM) is an extension to [customer-managed keys for Azure NetApp Files volumes encryption feature](configure-customer-managed-keys.md). Customer-managed keys with HSM allows you to store your encryptions keys in a more secure FIPS 140-2 Level 3 HSM instead of the FIPS 140-2 Level 1 or Level 2 service used by Azure Key Vault (AKV).
+
+## Requirements 
+
+* Customer-managed keys with managed HSM is supported using the 2022.11 or later API version.
+* Customer-managed keys with managed HSM is only supported for Azure NetApp Files accounts that don't have existing encryption. 
+* Before creating a volume using customer-managed key with managed HSM volume, you must have: 
+    * created an [Azure Key Vault](/azure/key-vault/general/overview), containing at least one key.
+        * The key vault must have soft delete and purge protection enabled.
+        * The key must be type RSA.
+    * created a VNet with a subnet delegated to Microsoft.Netapp/volumes.
+    * a user- or system-assigned identity for your Azure NetApp Files account. 
+    * [provisioned and activated a managed HSM.](/azure/key-vault/managed-hsm/quick-create-cli)
+
+## Supported regions
+
+* Australia East
+* Brazil South
+* Canada Central
+* Central US
+* East Asia
+* East US
+* East US 2
+* France Central
+* Japan East
+* Korea Central
+* North Central US
+* North Europe
+* Norway East
+* Norway West
+* South Africa North
+* South Central US
+* Southeast Asia
+* Sweden Central
+* Switzerland North
+* UAE Central
+* UAE North
+* UK South
+* West US
+* West US 2
+* West US 3
+
+## Register the feature
+
+This feature is currently in preview. You need to register the feature before using it for the first time. After registration, the feature is enabled and works in the background. No UI control is required. 
+
+1. Register the feature: 
+
+    ```azurepowershell-interactive
+    Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFManagedHsmEncryption
+    ```
+
+2. Check the status of the feature registration: 
+
+    > [!NOTE]
+    > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is **Registered** before continuing.
+
+    ```azurepowershell-interactive
+    Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFManagedHsmEncryption
+    ```
+You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status. 
+
+## Configure customer-managed keys with managed HSM for system-assigned identity
+
+When you configure customer-managed keys with a system-assigned identity, Azure configures the NetApp account automatically by adding a system-assigned identity. The access policy is created on your Azure Key Vault with key permissions of Get, Encrypt, and Decrypt.
+
+### Requirements
+
+To use a system-assigned identity, the Azure Key Vault must be configured to use Vault access policy as its permission model. Otherwise, you must use a user-assigned identity. 
+
+### Steps
+
+1. In the Azure portal, navigate to Azure NetApp Files then select **Encryption**.
+1. In the **Encryption** menu, provide the following values:
+    * For **Encryption key source**, select **Customer Managed Key**.
+    * For **Key URI**, select **Enter Key URI** then provide the URI for the managed HSM.
+    * Select the NetApp **Subscription**.
+    * For **Identity type**, select **System-assigned**.
+
+    :::image type="content" source="./media/configure-customer-managed-keys/key-enter-uri.png" alt-text="Screenshot of the encryption menu showing key URI field." lightbox="./media/configure-customer-managed-keys//key-enter-uri.png":::
+
+1. Select **Save**.
+
+## Configure customer-managed keys with managed HSM for user-assigned identity
+
+1. In the Azure portal, navigate to Azure NetApp Files then select **Encryption**.
+1. In the **Encryption** menu, provide the following values:
+    * For **Encryption key source**, select **Customer Managed Key**.
+    * For **Key URI**, select **Enter Key URI** then provide the URI for the managed HSM.
+    * Select the NetApp **Subscription**.
+    * For **Identity type**, select **User-assigned**.
+1. When you select **User-assigned**, a context pane opens to select the identity. 
+    * If your Azure Key Vault is configured to use a Vault access policy, Azure configures the NetApp account automatically and adds the user-assigned identity to your NetApp account. The access policy is created on your Azure Key Vault with key permissions of Get, Encrypt, and Decrypt.
+    * If your Azure Key Vault is configured to use Azure role-based access control (RBAC), ensure the selected user-assigned identity has a role assignment on the key vault with permissions for data actions:
+        * "Microsoft.KeyVault/vaults/keys/read"
+        * "Microsoft.KeyVault/vaults/keys/encrypt/action"
+        * "Microsoft.KeyVault/vaults/keys/decrypt/action"
+    The user-assigned identity you select is added to your NetApp account. Due to RBAC being customizable, the Azure portal doesn't configure access to the key vault. For more information, see [Using Azure RBAC secret, key, and certificate permissions with Key Vault](/azure/key-vault/general/rbac-guide#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault)
+
+    :::image type="content" source="./media/configure-customer-managed-keys/encryption-user-assigned.png" alt-text="Screenshot of user-assigned submenu." lightbox="./media/configure-customer-managed-keys/encryption-user-assigned.png":::
+
+1. Select **Save**.
+
+## Next steps
+
+* [Configure customer-managed keys](configure-customer-managed-keys.md)
+* [Security FAQs](faq-security.md)
diff --git a/articles/azure-netapp-files/configure-customer-managed-keys.md b/articles/azure-netapp-files/configure-customer-managed-keys.md
@@ -122,7 +122,7 @@ For more information about Azure Key Vault and Azure Private Endpoint, refer to:
     :::image type="content" source="./media/configure-customer-managed-keys/key-enter-uri.png" alt-text="Screenshot of the encryption menu showing key URI field." lightbox="./media/configure-customer-managed-keys/key-enter-uri.png":::
 
 1. Select the identity type that you want to use for authentication to the Azure Key Vault. If your Azure Key Vault is configured to use Vault access policy as its permission model, both options are available. Otherwise, only the user-assigned option is available.
-    * If you choose **System-assigned**, select the **Save** button. The Azure portal configures the NetApp account automatically with the following process: A system-assigned identity is added to your NetApp account. An access policy is to be created on your Azure Key Vault with key permissions Get, Encrypt, Decrypt.
+    * If you choose **System-assigned**, select the **Save** button. The Azure portal configures the NetApp account automatically by adding a system-assigned identity to your NetApp account. An access policy is also created on your Azure Key Vault with key permissions Get, Encrypt, Decrypt.
 
     :::image type="content" source="./media/configure-customer-managed-keys/encryption-system-assigned.png" alt-text="Screenshot of the encryption menu with system-assigned options." lightbox="./media/configure-customer-managed-keys/encryption-system-assigned.png":::
 
@@ -492,3 +492,4 @@ This section lists error messages and possible resolutions when Azure NetApp Fil
 ## Next steps
 
 * [Azure NetApp Files API](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/netapp/resource-manager/Microsoft.NetApp/stable/2019-11-01)
+* [Configure customer-managed keys with managed Hardware Security Module](configure-customer-managed-keys-hardware.md)
diff --git a/articles/azure-netapp-files/faq-security.md b/articles/azure-netapp-files/faq-security.md
@@ -5,7 +5,7 @@ ms.service: azure-netapp-files
 ms.topic: conceptual
 author: b-hchen
 ms.author: anfdocs
-ms.date: 06/15/2024
+ms.date: 08/07/2024
 ms.custom: references_regions
 ---
 # Security FAQs for Azure NetApp Files
@@ -20,7 +20,7 @@ NFSv3 protocol doesn't provide support for encryption, so this data-in-flight ca
 
 ## Can the storage be encrypted at rest?
 
-All Azure NetApp Files volumes are encrypted using the FIPS 140-2 standard. Learn [how encryption keys managed](#how-are-encryption-keys-managed).
+All Azure NetApp Files volumes are encrypted using the FIPS 140-2 standard. Learn [how encryption keys are managed](#how-are-encryption-keys-managed).
 
 ## Is Azure NetApp Files cross-region and cross-zone replication traffic encrypted?
 
@@ -34,7 +34,7 @@ Alternatively, [customer-managed keys for Azure NetApp Files volume encryption](
 
 Azure NetApp Files supports the ability to move existing volumes using platform-managed keys to customer-managed keys. Once you complete the transition, you cannot revert back to platform-managed keys. For additional information, see [Transition an Azure NetApp Files volume to customer-managed keys](configure-customer-managed-keys.md#transition).
 
-Also, customer-managed keys using Azure Dedicated HSM is supported on a controlled basis. Support is currently available in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access [with the Azure NetApp Files feedback form](https://aka.ms/ANFFeedback). As capacity becomes available, requests will be approved.
+<!-- Also, customer-managed keys using Azure Dedicated HSM is supported on a controlled basis. Support is currently available in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access [with the Azure NetApp Files feedback form](https://aka.ms/ANFFeedback). As capacity becomes available, requests will be approved. -->
 
 ## Can I configure the NFS export policy rules to control access to the Azure NetApp Files service mount target?
 
diff --git a/articles/azure-netapp-files/whats-new.md b/articles/azure-netapp-files/whats-new.md
@@ -6,7 +6,7 @@ author: b-hchen
 ms.service: azure-netapp-files
 ms.custom: linux-related-content
 ms.topic: overview
-ms.date: 07/30/2024
+ms.date: 08/07/2024
 ms.author: anfdocs
 ---
 
@@ -16,6 +16,10 @@ Azure NetApp Files is updated regularly. This article provides a summary about t
 
 ## August 2024
 
+* [Volume encryption with customer-managed keys with managed Hardware Security Module (HSM)](configure-customer-managed-keys-hardware.md) (Preview)
+
+    Volume encryption with customer-managed keys with managed HSM extends the [customer-managed keys](configure-customer-managed-keys.md), enabling you to store your keys in a more secure FIPS 140-2 Level 3 HSM service instead of the FIPS 140-2 Level 1 or 2 encryption offered with Azure Key Vault. 
+
 * [Volume enhancement: Azure NetApp Files now supports 50 GiB minimum volume sizes](azure-netapp-files-resource-limits.md) (preview)
 
     You can now create an Azure NetApp Files volume as small as 50 GiB--a reduction from the initial minimum size of 100 GiB. 50 GiB volumes save costs for workloads that require volumes smaller than 100 GiB, allowing you to appropriately size storage volumes.
diff --git a/articles/security/fundamentals/encryption-models.md b/articles/security/fundamentals/encryption-models.md
@@ -223,12 +223,12 @@ The Azure services that support each encryption model:
 | Data Lake Storage Gen2 | Yes | Yes, including Managed HSM | Yes |
 | Avere vFXT | Yes | - | - |
 | Azure Cache for Redis | Yes | Yes\*\*\*, including Managed HSM | - |
-| Azure NetApp Files | Yes | Yes | Yes |
+| Azure NetApp Files | Yes | Yes, including Managed HSM | Yes |
 | Archive Storage | Yes | Yes | - |
 | StorSimple | Yes | Yes | Yes |
 | Azure Backup | Yes | Yes, including Managed HSM | Yes |
 | Data Box | Yes | - | Yes |
-| Data Box Edge | Yes | Yes | - |
+| Azure Stack Edge | Yes | Yes | - |
 | **Other** | | | |
 | Azure Data Manager for Energy | Yes | Yes | Yes |
 
@@ -240,5 +240,5 @@ The Azure services that support each encryption model:
 
 ## Related content
 
-- [encryption is used in Azure](encryption-overview.md)
-- [double encryption](double-encryption.md)
+- [How encryption is used in Azure](encryption-overview.md)
+- [Double encryption](double-encryption.md)
