Skip to content

Commit 88e0e86

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #258738 from SudheeshGH/docs-editor/concepts-customer-managed-key-1700111692
Update concepts-customer-managed-key.md
2 parents efa90cd + bab96e7 commit 88e0e86

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

articles/mysql/flexible-server/concepts-customer-managed-key.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ Before you attempt to configure Key Vault, be sure to address the following requ
6868

6969
Before you attempt to configure the CMK, be sure to address the following requirements.
7070

71-
- The customer-managed key to encrypt the DEK can be only asymmetric, RSA 2048.
71+
- The customer-managed key to encrypt the DEK can be only asymmetric, RSA 2048,3072 or 4096.
7272
- The key activation date (if set) must be a date and time in the past. The expiration date not set.
7373
- The key must be in the **Enabled** state.
7474
- The key must have [soft delete](../../key-vault/general/soft-delete-overview.md) with retention period set to 90 days. This implicitly sets the required key attribute recoveryLevel: “Recoverable.”
@@ -87,9 +87,9 @@ As you configure Key Vault to use data encryption using a customer-managed key,
8787
- Keep a copy of the customer-managed key in a secure place or escrow it to the escrow service.
8888
- If Key Vault generates the key, create a key backup before using the key for the first time. You can only restore the backup to Key Vault. For more information about the backup command, see [Backup-AzKeyVaultKey](/powershell/module/az.keyVault/backup-azkeyVaultkey).
8989

90-
> [!NOTE]
90+
> [!NOTE]
9191
> It is advised to use a key vault from the same region, but if necessary, you can use a key vault from another region by specifying the "enter key identifier" information.
92-
92+
> RSA key stored in **Azure Key Vault Managed HSM**, is currently not supported.
9393
## Inaccessible customer-managed key condition
9494

9595
When you configure data encryption with a CMK in Key Vault, continuous access to this key is required for the server to stay online. If the flexible server loses access to the customer-managed key in Key Vault, the server begins denying all connections within 10 minutes. The flexible server issues a corresponding error message and changes the server state to Inaccessible. The server can reach this state for various reasons.

0 commit comments

Comments
 (0)