|
| 1 | +--- |
| 2 | +title: Configure customer-managed-keys using the Azure portal |
| 3 | +description: This article describes how to configure customer-managed keys encryption on your data in Azure Data Explorer. |
| 4 | +author: orspod |
| 5 | +ms.author: orspodek |
| 6 | +ms.reviewer: itsagui |
| 7 | +ms.service: data-explorer |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 03/17/2020 |
| 10 | +--- |
| 11 | + |
| 12 | +# Configure customer-managed-keys using the Azure Portal |
| 13 | + |
| 14 | +> [!div class="op_single_selector"] |
| 15 | +> * [Portal](customer-managed-keys-portal.md) |
| 16 | +> * [C#](customer-managed-keys-csharp.md) |
| 17 | +> * [Azure Resource Manager template](customer-managed-keys-resource-manager.md) |
| 18 | +
|
| 19 | +[!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)] |
| 20 | + |
| 21 | +## Configure encryption with customer-managed keys |
| 22 | + |
| 23 | +This section shows you how to configure customer-managed keys encryption using the Azure portal. |
| 24 | + |
| 25 | +### Prerequisites |
| 26 | + |
| 27 | +* An Azure subscription. Create a [free Azure account](https://azure.microsoft.com/free/). |
| 28 | +* [A cluster and database](create-cluster-database-portal.md). |
| 29 | +* [Configure managed identities for your Azure Data Explorer cluster](managed-identities.md) |
| 30 | + |
| 31 | +### Authentication |
| 32 | +\\Needed? |
| 33 | + |
| 34 | +To run the examples in this article, [create an Azure AD application](/azure/active-directory/develop/howto-create-service-principal-portal) and service principal that can access resources. You can add role assignment at the subscription scope and get the required `Directory (tenant) ID`, `Application ID`, and `Client Secret`. |
| 35 | + |
| 36 | +### Configure cluster |
| 37 | + |
| 38 | +By default, Azure Data Explorer encryption uses Microsoft-managed keys. Configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster. |
| 39 | + |
| 40 | +Configure encryption with customer-managed keys |
| 41 | + |
| 42 | +You can configure customer-managed keys for your Azure Data Explorer cluster. |
| 43 | +1. In the Azure portal, go to your Azure Data Explorer cluster resource. Under the Settings heading, select Encryption. |
| 44 | +2. In the Encryption window, select **On** for the Customer-managed key setting. |
| 45 | +3. Click Select Key |
| 46 | +ToDo\\ screenshot |
| 47 | +4. In the **Select key from Azure Key Vault** screen you can either create a new Key Vault or select an existing one. |
| 48 | + 1. If you choose to create a new Key Vault you'll be routed to the **Create Key Vault** screen where you can create a new Key Vault resource following these instructions. (link to create a key vault) |
| 49 | + 2. If you choose an existing Key Vault you need to either create a new key select an existing key. |
| 50 | + 3. Once you have a key you need to select a version. |
| 51 | +5. Either select **Key** or **create new** ?from Azure Key Vault screen. |
| 52 | +1. Select **Version**. |
| 53 | +1. Click **Select** |
| 54 | +6. Select Save. |
| 55 | + |
| 56 | +## screenshot |
| 57 | + |
| 58 | +By enabling customer-managed key for your Azure Data Explorer cluster behind the scenes you'll be creating a system assigned identity for the cluster if it does not have one. |
| 59 | +In addition you'll be providing the required view permissions to Azure Data Explorer cluster on the selected Key Vault and get the Key Vault properties. (see c# doc) |
| 60 | +(3 steps done as part of process) |
| 61 | + |
| 62 | +when CMK creation succeeds, get success message in notification. |
| 63 | + |
| 64 | +Note |
| 65 | +Select **Off** to remove the customer managed key after it has been created. |
| 66 | + |
| 67 | +## Update the key version |
| 68 | + |
| 69 | +When you create a new version of a key, you'll need to update the cluster to use the new version. First, call `Get-AzKeyVaultKey` to get the latest version of the key. Then update the cluster's key vault properties to use the new version of the key, as shown in [Configure cluster](#configure-cluster). |
| 70 | + |
| 71 | +## Next steps |
| 72 | + |
| 73 | +* [Secure Azure Data Explorer clusters in Azure](security.md) |
| 74 | +* [Secure your cluster in Azure Data Explorer - Azure portal](manage-cluster-security.md) by enabling encryption at rest. |
| 75 | +* [Configure customer-managed-keys using the Azure Resource Manager template](customer-managed-keys-resource-manager.md) |
| 76 | +* [Configure customer-managed-keys using C#](customer-managed-keys-csharp.md) |
| 77 | + |
| 78 | + |
| 79 | + |
0 commit comments