You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/mysql/flexible-server/concepts-customer-managed-key-mysql-flexible-server.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,13 +14,13 @@ ms.topic: conceptual
14
14
15
15
With data encryption with customer-managed keys for Azure Database for MySQL - Flexible Server, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. With customer managed keys (CMKs), the customer is responsible for and in a full control of key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys.
16
16
17
-
Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault](/azure/key-vault/general/security-features.md) instance. Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Key Vault does not allow direct access to a stored key, but instead provides encryption/decryption services using the key to the authorized entities. The key can be generated by the key vault, imported, or[transferred to the key vault from an on-prem HSM device](/azure/key-vault/keys/hsm-protected-keys.md).
17
+
Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault instance](../../key-vault/general/security-features.md). Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Key Vault does not allow direct access to a stored key, but instead provides encryption/decryption services using the key to the authorized entities. The key can be generated by the key vault, imported, or[transferred to the key vault from an on-prem HSM device](../../key-vault/keys/hsm-protected-keys.md).
18
18
19
19
## Terminology and description
20
20
21
21
**Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key.
22
22
23
-
**Key encryption key (KEK)**: An encryption key used to encrypt the DEKs. A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. The entity that has access to the KEK might be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK. The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption at](/azure/security/fundamentals/encryption-atrest.md) rest.
23
+
**Key encryption key (KEK)**: An encryption key used to encrypt the DEKs. A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. The entity that has access to the KEK might be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK. The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption rest](../../security/fundamentals/encryption-atrest.md).
24
24
25
25
## Benefits
26
26
@@ -33,7 +33,7 @@ Data encryption with customer-managed keys for Azure Database for MySQL Flexible
33
33
34
34
## How does data encryption with a customer-managed key work?
35
35
36
-
Managed identities in Azure Active Directory (Azure AD) provide Azure services an alternative to storing credentials in the code by provisioning an automatically-assigned identity that can be used to authenticate to any service supporting Azure AD authentication, such as Azure Key Vault (AKV). Azure Database for MySQL Flexible server currently supports only User-assigned Managed Identity (UMI). For more information, see [Managed identity types](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types.md) in Azure.
36
+
Managed identities in Azure Active Directory (Azure AD) provide Azure services an alternative to storing credentials in the code by provisioning an automatically-assigned identity that can be used to authenticate to any service supporting Azure AD authentication, such as Azure Key Vault (AKV). Azure Database for MySQL Flexible server currently supports only User-assigned Managed Identity (UMI). For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
37
37
38
38
To configure the CMK for an Azure Azure Database for MySQL flexible server, you need to link the UMI to the server and specify the Azure Key vault and key to use. Note that the UMI must have the following access to key vault.
39
39
@@ -46,7 +46,7 @@ When you configure a flexible server to use a CMK stored in the key vault, the s
46
46
47
47
:::image type="content" source="media/customer-managed-key-mysql-flexible-server/mysql-customer-managed-key.jpg" alt-text="Diagram of how data encryption with a customer-managed key works.":::
48
48
49
-
After logging is enabled, auditors can use Azure Monitor to review Key Vault audit event logs. To [enable logging of Key Vault auditing events](/azure/key-vault/key-vault-insights-overview.md), see Monitoring your key vault service with Key Vault insights.
49
+
After logging is enabled, auditors can use Azure Monitor to review Key Vault audit event logs. To enable logging of [Key Vault auditing events](../../key-vault/key-vault-insights-overview.md), see Monitoring your key vault service with Key Vault insights.
50
50
51
51
> [!Note]
52
52
> Permission changes can take up to 10 minutes to impact the key vault. This includes revoking access permissions to the TDE protector in AKV, and users within this time frame may still have access permissions.
@@ -57,20 +57,20 @@ Before you attempt to configure Key Vault, be sure to address the following requ
57
57
58
58
- The Key Vault and Azure Database for MySQL flexible server must belong to the same Azure Active Directory (Azure AD) tenant. Cross-tenant Key Vault and flexible server interactions aren't supported. If you move Key Vault resources after performing the configuration, you’ll need to reconfigure data encryption.
59
59
- The Key Vault and Azure Database for MySQL flexible server must reside in the same region.
60
-
- Enable the [soft-delete](/azure/key-vault/general/soft-delete-overview) feature on the key vault with retention period set to 90 days to protect from data loss should an accidental key (or Key Vault) deletion occur. The recover and purge actions have their own permissions associated in a Key Vault access policy. The soft-delete feature is off by default, but you can enable it through the Azure Portal or by using PowerShell or the Azure CLI.
60
+
- Enable the [soft-delete](../../key-vault/general/soft-delete-overview.md) feature on the key vault with retention period set to 90 days to protect from data loss should an accidental key (or Key Vault) deletion occur. The recover and purge actions have their own permissions associated in a Key Vault access policy. The soft-delete feature is off by default, but you can enable it through the Azure Portal or by using PowerShell or the Azure CLI.
61
61
- Enable the [Purge Protection](/azure/key-vault/general/soft-delete-overview#purge-protection.md) feature on the key vault and set the retention period to 90 days. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. You can enable this feature by using PowerShell or the Azure CLI, and only after you have enabled soft-delete.
62
62
63
63
Before you attempt to configure the CMK, be sure to address the following requirements.
64
64
65
65
- The customer-managed key to be used for encrypting the DEK can be only asymmetric, RSA 2048.
66
66
- The key activation date (if set) must be a date and time in the past. The expiration date not set.
67
67
- The key must be in the **Enabled** state.
68
-
- The key must have [soft delete](/azure/key-vault/general/soft-delete-overview.md) with retention period set to 90 days. This implicitly sets the required key attribute recoveryLevel: “Recoverable”.
69
-
- The key must have [purge protection enabled](/azure/key-vault/general/soft-delete-overview#purge-protection.md).
68
+
- The key must have [soft delete](../../key-vault/general/soft-delete-overview.md) with retention period set to 90 days. This implicitly sets the required key attribute recoveryLevel: “Recoverable”.
69
+
- The key must have [purge protection enabled](../../key-vault/general/soft-delete-overview#purge-protection.md).
70
70
- If you're [importing an existing key](/rest/api/keyvault/keys/import-key/import-key.md) into the key vault, make sure to provide it in the supported file formats (.pfx, .byok, .backup)
71
71
72
72
> [!Note]
73
-
> For detailed, step-by-step instructions about how to configure date encryption for an Azure Database for MySQL flexible server via the Azure portal, see [Configure data encryption for MySQL Flexible server](/azure/mysql/single-server/how-to-data-encryption-portal.md).
73
+
> For detailed, step-by-step instructions about how to configure date encryption for an Azure Database for MySQL flexible server via the Azure portal, see [Configure data encryption for MySQL Flexible server](../single-server/how-to-data-encryption-portal.md).
74
74
75
75
## Recommendations for configuring data encryption
76
76
@@ -85,8 +85,8 @@ As you configure Key Vault to use data encryption by using a customer-managed ke
85
85
86
86
When you configure data encryption with a CMK in Key Vault, continuous access to this key is required for the server to stay online. If the flexible server loses access to the customer-managed key in Key Vault, the server begins denying all connections within 10 minutes. The flexible server issues a corresponding error message and changes the server state to Inaccessible. The server can reach this state for a variety of reasons.
87
87
88
-
- If you delete the KeyVault, the Azure Database for MySQL Flexible server will be unable to access the key and will move to _Inaccessible_ state. Recover the [Key Vault](/azure/key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the Flexible server _Available_.
89
-
- If we delete the key from the KeyVault, the Azure Database for MySQL Flexible server will be unable to access the key and will move to _Inaccessible_ state. Recover the [Key](/azure/key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the Flexible server _Available_.
88
+
- If you delete the KeyVault, the Azure Database for MySQL Flexible server will be unable to access the key and will move to _Inaccessible_ state. Recover the [Key Vault](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the Flexible server _Available_.
89
+
- If we delete the key from the KeyVault, the Azure Database for MySQL Flexible server will be unable to access the key and will move to _Inaccessible_ state. Recover the [Key](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the Flexible server _Available_.
90
90
- If the key stored in the Azure KeyVault expires, the key will become invalid, and the Azure Database for MySQL Flexible server will transition into _Inaccessible_ state. Extend the key expiry date using [CLI](/cli/azure/keyvault/key#az-keyvault-key-set-attributes.md) and then revalidate the data encryption to make the Flexible server _Available_.
91
91
92
92
## Accidental key access revocation from Key Vault
@@ -103,8 +103,8 @@ It might happen that someone with sufficient access rights to Key Vault accident
103
103
104
104
To monitor the database state, and to enable alerting for the loss of transparent data encryption protector access, configure the following Azure features:
105
105
106
-
-[Activity log](/azure/service-health/alerts-activity-log-service-notifications-portal): When access to the Customer Key in the customer-managed Key Vault fails, entries are added to the activity log. You can reinstate access as soon as possible if you create alerts for these events.
107
-
-[Action groups](/azure/azure-monitor/alerts/action-groups): Define these groups to send you notifications and alerts based on your preferences.
106
+
-[Activity log](../../service-health/alerts-activity-log-service-notifications-portal.md): When access to the Customer Key in the customer-managed Key Vault fails, entries are added to the activity log. You can reinstate access as soon as possible if you create alerts for these events.
107
+
-[Action groups](../../azure-monitor/alerts/action-groups.md): Define these groups to send you notifications and alerts based on your preferences.
108
108
109
109
## Replica with a customer managed key in Key Vault
0 commit comments