Merge pull request #108571 from orspod/2020-3-1-CMK-updates

CMK portal

Author: shawnmariejones

articles/data-explorer/customer-managed-keys-csharp.md

@@ -12,11 +12,14 @@ ms.date: 01/06/2020
 # Configure customer-managed-keys using C#
 
 > [!div class="op_single_selector"]
+> * [Portal](customer-managed-keys-portal.md)
 > * [C#](customer-managed-keys-csharp.md)
 > * [Azure Resource Manager template](customer-managed-keys-resource-manager.md)
 
 [!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
 
+[!INCLUDE [data-explorer-configure-customer-managed-keys part 2](../../includes/data-explorer-configure-customer-managed-keys-b.md)]
+
 ## Configure encryption with customer-managed keys
 
 This section shows you how to configure customer-managed keys encryption using the Azure Data Explorer C# client. 

articles/data-explorer/customer-managed-keys-portal.md

@@ -0,0 +1,57 @@
+---
+title: Configure customer-managed-keys using the Azure portal
+description: This article describes how to configure customer-managed keys encryption on your data in Azure Data Explorer.
+author: orspod
+ms.author: orspodek
+ms.reviewer: itsagui
+ms.service: data-explorer
+ms.topic: conceptual
+ms.date: 03/26/2020
+---
+
+# Configure customer-managed keys using the Azure portal
+
+> [!div class="op_single_selector"]
+> * [Portal](customer-managed-keys-portal.md)
+> * [C#](customer-managed-keys-csharp.md)
+> * [Azure Resource Manager template](customer-managed-keys-resource-manager.md)
+
+[!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
+
+## Enable encryption with customer-managed keys in the Azure portal
+
+This article shows you how to enable customer-managed keys encryption using the Azure portal. By default, Azure Data Explorer encryption uses Microsoft-managed keys. Configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.
+
+1. In the [Azure portal](https://portal.azure.com/), go to your [Azure Data Explorer cluster](create-cluster-database-portal.md#create-a-cluster) resource. 
+1. Select **Settings** > **Encryption** in left pane of portal.
+1. In the **Encryption** pane, select **On** for the **Customer-managed key** setting.
+1. Click **Select Key**.
+
+    ![Configure customer-managed keys](media/customer-managed-keys-portal/cmk-encryption-setting.png)
+
+1. In the **Select key from Azure Key Vault** window, select an existing **Key vault** from the dropdown list. If you select **Create new** to [create a new Key Vault](/azure/key-vault/quick-create-portal#create-a-vault), you'll be routed to the **Create Key Vault** screen.
+
+1. Select **Key**.
+1. Select **Version**.
+1. Click **Select**.
+
+    ![Select key from Azure Key Vault](media/customer-managed-keys-portal/cmk-key-vault.png)
+
+1. In the **Encryption** pane that now contains your key, select **Save**. When CMK creation succeeds, you'll see a success message in **Notifications**.
+
+    ![Save customer-managed key](media/customer-managed-keys-portal/cmk-encryption-setting.png)
+
+By enabling customer-managed keys for your Azure Data Explorer cluster, you'll be creating a system assigned identity for the cluster if one doesn't exist. In addition, you'll be providing the required view permissions to your Azure Data Explorer cluster on the selected Key Vault and get the Key Vault properties. 
+
+> [!NOTE]
+> Select **Off** to remove the customer-managed key after it has been created.
+
+## Next steps
+
+* [Secure Azure Data Explorer clusters in Azure](security.md)
+* [Secure your cluster in Azure Data Explorer - Azure portal](manage-cluster-security.md) by enabling encryption at rest.
+* [Configure customer-managed-keys using the Azure Resource Manager template](customer-managed-keys-resource-manager.md)
+* [Configure customer-managed-keys using C#](customer-managed-keys-csharp.md)
+
+
+

articles/data-explorer/customer-managed-keys-resource-manager.md

@@ -12,11 +12,14 @@ ms.date: 01/06/2020
 # Configure customer-managed-keys using the Azure Resource Manager template
 
 > [!div class="op_single_selector"]
+> * [Portal](customer-managed-keys-portal.md)
 > * [C#](customer-managed-keys-csharp.md)
 > * [Azure Resource Manager template](customer-managed-keys-resource-manager.md)
 
 [!INCLUDE [data-explorer-configure-customer-managed-keys](../../includes/data-explorer-configure-customer-managed-keys.md)]
 
+[!INCLUDE [data-explorer-configure-customer-managed-keys part 2](../../includes/data-explorer-configure-customer-managed-keys-b.md)]
+
 ## Configure encryption with customer-managed keys
 
 In this section, you configure customer-managed keys using Azure Resource Manager templates. By default, Azure Data Explorer encryption uses Microsoft-managed keys. In this step, configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.

articles/data-explorer/media/customer-managed-keys-portal/cmk-before-save.png

@@ -182,6 +182,8 @@
       href: managed-identities.md
     - name: Configure customer-managed-keys
       items:
+        - name: Portal
+          href: customer-managed-keys-portal.md
         - name: C#
           href: customer-managed-keys-csharp.md
         - name: Azure Resource Manager template

articles/data-explorer/media/customer-managed-keys-portal/cmk-encryption-setting.png

@@ -0,0 +1,38 @@
+---
+author: orspod
+ms.service: data-explorer
+ms.topic: include
+ms.date: 03/25/2020
+ms.author: orspodek
+---
+
+## Create a new key vault
+
+To create a new key vault using PowerShell, call [New-AzKeyVault](/powershell/module/az.keyvault/new-azkeyvault). The key vault that you use to store customer-managed keys for Azure Data Explorer encryption must have two key protection settings enabled, **Soft Delete** and **Do Not Purge**. Replace the placeholder values in brackets with your own values in example below.
+
+```azurepowershell-interactive
+$keyVault = New-AzKeyVault -Name <key-vault> `
+    -ResourceGroupName <resource_group> `
+    -Location <location> `
+    -EnableSoftDelete `
+    -EnablePurgeProtection
+```
+
+## Configure the key vault access policy
+
+Next, configure the access policy for the key vault so that the cluster has permissions to access it. In this step, you'll use the system-assigned managed identity that you previously assigned to the cluster. To set the access policy for the key vault, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
+
+```azurepowershell-interactive
+Set-AzKeyVaultAccessPolicy `
+    -VaultName $keyVault.VaultName `
+    -ObjectId $cluster.Identity.PrincipalId `
+    -PermissionsToKeys wrapkey,unwrapkey,get,recover
+```
+
+## Create a new key
+
+Next, create a new key in the key vault. To create a new key, call [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
+
+```azurepowershell-interactive
+$key = Add-AzKeyVaultKey -VaultName $keyVault.VaultName -Name <key> -Destination 'Software'
+```

articles/data-explorer/media/customer-managed-keys-portal/cmk-key-vault.png

@@ -6,44 +6,19 @@ ms.date: 01/07/2020
 ms.author: orspodek
 ---
 
-Azure Data Explorer encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption. Customer-managed keys must be stored in an [Azure Key Vault](/azure/key-vault/key-vault-overview). You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. The Azure Data Explorer cluster and the key vault must be in the same region, but they can be in different subscriptions. For a detailed explanation on customer-managed keys, see [customer-managed keys with Azure Key Vault](/azure/storage/common/storage-service-encryption). This article shows you how to configure customer-managed keys.
+Azure Data Explorer encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption. 
 
-To configure customer-managed keys with Azure Data Explorer, you must [set two properties on the key vault](/azure/key-vault/key-vault-ovw-soft-delete): **Soft Delete** and **Do Not Purge**. These properties aren't enabled by default. To enable these properties, use [PowerShell](/azure/key-vault/key-vault-soft-delete-powershell) or [Azure CLI](/azure/key-vault/key-vault-soft-delete-cli). Only RSA keys and key size 2048 are supported.
+Customer-managed keys must be stored in an [Azure Key Vault](/azure/key-vault/key-vault-overview). You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. The Azure Data Explorer cluster and the key vault must be in the same region, but they can be in different subscriptions. For a detailed explanation on customer-managed keys, see [customer-managed keys with Azure Key Vault](/azure/storage/common/storage-service-encryption). 
 
-> [!NOTE]
-> Data encryption using customer managed keys is not supported on [leader and follower clusters](/azure/data-explorer/follower). 
-
-## Assign an identity to the cluster
-
-To enable customer-managed keys for your cluster, first assign a system-assigned managed identity to the cluster. You'll use this managed identity to grant the cluster permissions to access the key vault. To configure system-assigned managed identities, see [managed identities](/azure/data-explorer/managed-identities).
-
-## Create a new key vault
+This article shows you how to configure customer-managed keys.
 
-To create a new key vault using PowerShell, call [New-AzKeyVault](/powershell/module/az.keyvault/new-azkeyvault). The key vault that you use to store customer-managed keys for Azure Data Explorer encryption must have two key protection settings enabled, **Soft Delete** and **Do Not Purge**. Replace the placeholder values in brackets with your own values in example below.
+## Configure Azure Key Vault
 
-```azurepowershell-interactive
-$keyVault = New-AzKeyVault -Name <key-vault> `
-    -ResourceGroupName <resource_group> `
-    -Location <location> `
-    -EnableSoftDelete `
-    -EnablePurgeProtection
-```
+To configure customer-managed keys with Azure Data Explorer, you must [set two properties on the key vault](/azure/key-vault/key-vault-ovw-soft-delete): **Soft Delete** and **Do Not Purge**. These properties aren't enabled by default. To enable these properties, perform **Enabling soft-delete** and **Enabling Purge Protection** in [PowerShell](/azure/key-vault/key-vault-soft-delete-powershell) or [Azure CLI](/azure/key-vault/key-vault-soft-delete-cli) on a new or existing key vault. Only RSA keys of size 2048 are supported. For more information about keys, see [Key Vault keys](/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys).
 
-## Configure the key vault access policy
-
-Next, configure the access policy for the key vault so that the cluster has permissions to access it. In this step, you'll use the system-assigned managed identity that you previously assigned to the cluster. To set the access policy for the key vault, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
-
-```azurepowershell-interactive
-Set-AzKeyVaultAccessPolicy `
-    -VaultName $keyVault.VaultName `
-    -ObjectId $cluster.Identity.PrincipalId `
-    -PermissionsToKeys wrapkey,unwrapkey,get,recover
-```
-
-## Create a new key
+> [!NOTE]
+> Data encryption using customer managed keys is not supported on [leader and follower clusters](/azure/data-explorer/follower). 
 
-Next, create a new key in the key vault. To create a new key, call [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey). Replace the placeholder values in brackets with your own values and use the variables defined in the previous examples.
+## Assign an identity to the cluster
 
-```azurepowershell-interactive
-$key = Add-AzKeyVaultKey -VaultName $keyVault.VaultName -Name <key> -Destination 'Software'
-```
+To enable customer-managed keys for your cluster, first assign a system-assigned managed identity to the cluster. You'll use this managed identity to grant the cluster permissions to access the key vault. To configure system-assigned managed identities, see [managed identities](/azure/data-explorer/managed-identities).