Skip to content

Commit 8f721f5

Browse files
Merge pull request #267611 from flang-msft/fxl---Remove-(Preview)-tags-from-CMK-article-and-add-a-what's-new-section
Fxl remove (preview) tags from cmk article and add a what's new section
2 parents 2d7d6f1 + 733f2da commit 8f721f5

File tree

4 files changed

+24
-19
lines changed

4 files changed

+24
-19
lines changed

articles/azure-cache-for-redis/cache-how-to-encryption.md

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: flang-msft
55

66
ms.service: cache
77
ms.topic: how-to
8-
ms.date: 03/28/2023
8+
ms.date: 02/28/2024
99
ms.author: franlanglois
1010

1111
---
@@ -16,7 +16,6 @@ Data in a Redis server is stored in memory by default. This data isn't encrypted
1616

1717
Azure Cache for Redis offers platform-managed keys (PMKs), also know as Microsoft-managed keys (MMKs), by default to encrypt data on-disk in all tiers. The Enterprise and Enterprise Flash tiers of Azure Cache for Redis additionally offer the ability to encrypt the OS and data persistence disks with a customer-managed key (CMK). Customer managed keys can be used to wrap the MMKs to control access to these keys. This makes the CMK a _key encryption key_ or KEK. For more information, see [key management in Azure](/azure/security/fundamentals/key-management).
1818

19-
2019
## Scope of availability for CMK disk encryption
2120

2221
| Tier | Basic, Standard, Premium | Enterprise, Enterprise Flash |
@@ -25,7 +24,7 @@ Azure Cache for Redis offers platform-managed keys (PMKs), also know as Microsof
2524
|Customer managed keys (CMK) | No | Yes |
2625

2726
> [!WARNING]
28-
> By default, all Azure Cache for Redis tiers use Microsoft managed keys to encrypt disks mounted to cache instances. However, in the Basic and Standard tiers, the C0 and C1 SKUs do not support any disk encryption.
27+
> By default, all Azure Cache for Redis tiers use Microsoft managed keys to encrypt disks mounted to cache instances. However, in the Basic and Standard tiers, the C0 and C1 SKUs do not support any disk encryption.
2928
>
3029
3130
> [!IMPORTANT]
@@ -38,13 +37,13 @@ Azure Cache for Redis offers platform-managed keys (PMKs), also know as Microsof
3837

3938
In the **Enterprise** tier, disk encryption is used to encrypt the persistence disk, temporary files, and the OS disk:
4039

41-
- persistence disk: holds persisted RDB or AOF files as part of [data persistence](cache-how-to-premium-persistence.md)
40+
- persistence disk: holds persisted RDB or AOF files as part of [data persistence](cache-how-to-premium-persistence.md)
4241
- temporary files used in _export_: temporary data used exported is encrypted. When you [export](cache-how-to-import-export-data.md) data, the encryption of the final exported data is controlled by settings in the storage account.
43-
- the OS disk
42+
- the OS disk
4443

4544
MMK is used to encrypt these disks by default, but CMK can also be used.
4645

47-
In the **Enterprise Flash** tier, keys and values are also partially stored on-disk using nonvolatile memory express (NVMe) flash storage. However, this disk isn't the same as the one used for persisted data. Instead, it's ephemeral, and data isn't persisted after the cache is stopped, deallocated, or rebooted. only MMK is only supported on this disk because this data is transient and ephemeral.
46+
In the **Enterprise Flash** tier, keys and values are also partially stored on-disk using nonvolatile memory express (NVMe) flash storage. However, this disk isn't the same as the one used for persisted data. Instead, it's ephemeral, and data isn't persisted after the cache is stopped, deallocated, or rebooted. MMK is only supported on this disk because this data is transient and ephemeral.
4847

4948
| Data stored |Disk |Encryption Options |
5049
|-------------------|------------------|-------------------|
@@ -62,7 +61,7 @@ In the **Basic, Standard, and Premium** tiers, the OS disk is encrypted by defau
6261

6362
- Disk encryption isn't available in the Basic and Standard tiers for the C0 or C1 SKUs
6463
- Only user assigned managed identity is supported to connect to Azure Key Vault. System assigned managed identity is not supported.
65-
- Changing between MMK and CMK on an existing cache instance triggers a long-running maintenance operation. We don't recommend this for production use because a service disruption occurs.
64+
- Changing between MMK and CMK on an existing cache instance triggers a long-running maintenance operation. We don't recommend this for production use because a service disruption occurs.
6665

6766
### Azure Key Vault prerequisites and limitations
6867

@@ -78,17 +77,17 @@ In the **Basic, Standard, and Premium** tiers, the OS disk is encrypted by defau
7877

7978
1. Sign in to the [Azure portal](https://portal.azure.com) and start the [Create a Redis Enterprise cache](quickstart-create-redis-enterprise.md) quickstart guide.
8079

81-
1. On the **Advanced** page, go to the section titled **Customer-managed key encryption at rest** and enable the **Use a customer-managed key** option.
80+
1. On the **Advanced** page, go to the section titled **Customer-managed key encryption at rest** and enable the **Use a customer-managed key** option.
8281

8382
:::image type="content" source="media/cache-how-to-encryption/cache-use-key-encryption.png" alt-text="Screenshot of the advanced settings with customer-managed key encryption checked and in a red box.":::
8483

8584
1. Select **Add** to assign a [user assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) to the resource. This managed identity is used to connect to the [Azure Key Vault](../key-vault/general/overview.md) instance that holds the customer managed key.
8685

8786
:::image type="content" source="media/cache-how-to-encryption/cache-managed-identity-user-assigned.png" alt-text="Screenshot showing user managed identity in the working pane.":::
8887

89-
1. Select your chosen user assigned managed identity, and then choose the key input method to use.
88+
1. Select your chosen user assigned managed identity, and then choose the key input method to use.
9089

91-
1. If using the **Select Azure key vault and key** input method, choose the Key Vault instance that holds your customer managed key. This instance must be in the same region as your cache.
90+
1. If using the **Select Azure key vault and key** input method, choose the Key Vault instance that holds your customer managed key. This instance must be in the same region as your cache.
9291

9392
> [!NOTE]
9493
> For instructions on how to set up an Azure Key Vault instance, see the [Azure Key Vault quickstart guide](../key-vault/secrets/quick-create-portal.md). You can also select the _Create a key vault_ link beneath the Key Vault selection to create a new Key Vault instance. Remember that both purge protection and soft delete must be enabled in your Key Vault instance.
@@ -103,25 +102,25 @@ In the **Basic, Standard, and Premium** tiers, the OS disk is encrypted by defau
103102

104103
### Add CMK encryption to an existing Enterprise cache
105104

106-
1. Go to the **Encryption** in the Resource menu of your cache instance. If CMK is already set up, you see the key information.
105+
1. Go to the **Encryption** in the Resource menu of your cache instance. If CMK is already set up, you see the key information.
107106

108-
1. If you haven't set up or if you want to change CMK settings, select **Change encryption settings**
107+
1. If you haven't set up or if you want to change CMK settings, select **Change encryption settings**
109108
:::image type="content" source="media/cache-how-to-encryption/cache-encryption-existing-use.png" alt-text="Screenshot encryption selected in the Resource menu for an Enterprise tier cache.":::
110109

111-
1. Select **Use a customer-managed key** to see your configuration options.
110+
1. Select **Use a customer-managed key** to see your configuration options.
112111

113112
1. Select **Add** to assign a [user assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) to the resource. This managed identity is used to connect to the [Azure Key Vault](../key-vault/general/overview.md) instance that holds the customer managed key.
114113

115-
1. Select your chosen user assigned managed identity, and then choose which key input method to use.
114+
1. Select your chosen user assigned managed identity, and then choose which key input method to use.
116115

117-
1. If using the **Select Azure key vault and key** input method, choose the Key Vault instance that holds your customer managed key. This instance must be in the same region as your cache.
116+
1. If using the **Select Azure key vault and key** input method, choose the Key Vault instance that holds your customer managed key. This instance must be in the same region as your cache.
118117

119118
> [!NOTE]
120119
> For instructions on how to set up an Azure Key Vault instance, see the [Azure Key Vault quickstart guide](../key-vault/secrets/quick-create-portal.md). You can also select the _Create a key vault_ link beneath the Key Vault selection to create a new Key Vault instance.
121120
122121
1. Choose the specific key using the **Customer-managed key (RSA)** drop-down. If there are multiple versions of the key to choose from, use the **Version** drop-down.
123122
:::image type="content" source="media/cache-how-to-encryption/cache-encryption-existing-key.png" alt-text="Screenshot showing the select identity and key fields completed for Encryption.":::
124-
123+
125124
1. If using the **URI** input method, enter the Key Identifier URI for your chosen key from Azure Key Vault.
126125

127126
1. Select **Save**

articles/azure-cache-for-redis/cache-whats-new.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,21 @@ ms.custom: references_regions
77
ms.author: franlanglois
88
ms.service: cache
99
ms.topic: conceptual
10-
ms.date: 01/23/2024
10+
ms.date: 02/28/2024
1111

1212
---
1313

1414
# What's New in Azure Cache for Redis
1515

16+
## February 2024
17+
18+
Support for using customer managed keys for disk (CMK) encryption has now reached General Availability (GA).
19+
20+
For more information, see [How to configure CMK encryption on Enterprise caches](cache-how-to-encryption.md#how-to-configure-cmk-encryption-on-enterprise-caches).
21+
1622
## January 2024
1723

18-
All tiers of Azure Cache for Redis now support TLS 1.3.
24+
All tiers of Azure Cache for Redis now support TLS 1.3.
1925

2026
For more information, see [What are the configuration settings for the TLS protocol?](cache-tls-configuration.md).
2127

@@ -54,7 +60,7 @@ Microsoft Entra ID for authentication and role-based access control is available
5460

5561
### Microsoft Entra ID authentication and authorization (preview)
5662

57-
Microsoft Entra ID based [authentication and authorization](cache-azure-active-directory-for-authentication.md) is now available for public preview with Azure Cache for Redis. With this Microsft Entra ID integration, users can connect to their cache instance without an access key and use [role-based access control](cache-configure-role-based-access-control.md) to connect to their cache instance.
63+
Microsoft Entra ID based [authentication and authorization](cache-azure-active-directory-for-authentication.md) is now available for public preview with Azure Cache for Redis. With this Microsoft Entra ID integration, users can connect to their cache instance without an access key and use [role-based access control](cache-configure-role-based-access-control.md) to connect to their cache instance.
5864

5965
This feature is available for Azure Cache for Redis Basic, Standard, and Premium SKUs. With this update, customers can look forward to increased security and a simplified authentication process when using Azure Cache for Redis.
6066

-1.17 KB
Loading
-1.04 KB
Loading

0 commit comments

Comments
 (0)