You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cosmos-db/postgresql/how-to-customer-managed-keys.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,13 +48,13 @@ ms.date: 04/06/2023
48
48
49
49
Learn more about [User Assigned Managed Identity.](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).
50
50
51
-
1.### Key Vault
51
+
### Key Vault
52
52
53
53
Using customer-managed keys with Azure Cosmos DB for PostgreSQL requires you to set two properties on the Azure Key Vault instance that you plan to use to host your encryption keys: Soft Delete and Purge Protection.
54
54
55
55
1. If you create a new Azure Key Vault instance, enable these properties during creation:
56
56
57
-
57
+
[](media/how-to-customer-managed-keys/key-vault-soft-delete.png#lightbox)
58
58
59
59
1. If you're using an existing Azure Key Vault instance, you can verify that these properties are enabled by looking at the Properties section on the Azure portal. If any of these properties aren’t enabled, see the "Enabling soft delete" and "Enabling Purge Protection" sections in one of the following articles.
60
60
@@ -66,29 +66,29 @@ ms.date: 04/06/2023
66
66
> [!IMPORTANT]
67
67
> Your Azure Key Vault instance must be allow public access from all the networks.
68
68
69
-
1.### Add an Access Policy to the Key Vault
69
+
### Add an Access Policy to the Key Vault
70
70
71
71
1. From the Azure portal, go to the Azure Key Vault instance that you plan to use to host your encryption keys. Select Access configuration from the left menu and then select Go to access policies.
72
72
73
-
73
+
[](media/how-to-customer-managed-keys/access-policy.png#lightbox)
74
74
75
75
1. Select + Create.
76
76
77
77
1. In the Permissions Tab under the Key permissions drop-down menu, select Get, Unwrap Key, and Wrap Key permissions.
78
78
79
-
79
+
[] (media/how-to-customer-managed-keys/access-policy-permissions.png#lightbox)
80
80
81
81
1. In the Principal Tab, select the User Assigned Managed Identity you had created in prerequisite step.
82
82
83
83
1. Navigate to Review + create select Create.
84
84
85
-
1.### Create / Import Key
85
+
### Create / Import Key
86
86
87
87
1. From the Azure portal, go to the Azure Key Vault instance that you plan to use to host your encryption keys.
88
88
89
89
1. Select Keys from the left menu and then select +Generate/Import.
90
90
91
-
91
+
[](media/how-to-customer-managed-keys/create-key.png#lightbox)
92
92
93
93
1. The customer-managed key to be used for encrypting the DEK can only be asymmetric RSA Key type. All RSA Key sizes 2048, 3072 and 4096 are supported.
94
94
@@ -105,7 +105,7 @@ ms.date: 04/06/2023
105
105
# [Portal](#tab/portal)
106
106
107
107
1. During the provisioning of a new Cosmos DB for PostgreSQL cluster, after providing the necessary information under Basics and Networking Tab, Navigate to the Encryption (Preview) Tab.
108
-
108
+
[](media/how-to-customer-managed-keys/encryption-tab.png#lightbox)
109
109
110
110
1. Select Customer Managed Key under Data encryption key option.
111
111
@@ -254,7 +254,7 @@ Encryption configuration can be changed from service managed encryption to CMK e
254
254
# [Portal](#tab/portal)
255
255
256
256
1. Navigate to the Data Encryption blade, and select Initiate restore operation. Alternatively, you can perform PITR by selecting the Restore option in the overview blade.
257
-
257
+
[](media/how-to-customer-managed-keys/point-in-time-restore.png#lightbox)
258
258
259
259
1. You can change/configure the Data Encryption from the Encryption(preview) Tab.
0 commit comments