|
| 1 | +--- |
| 2 | +title: Configure your own key for encrypting Azure Service Bus data at rest |
| 3 | +description: This article provides information on how to configure your own key for encrypting Azure Service Bus data rest. |
| 4 | +services: service-bus-messaging |
| 5 | +ms.service: service-bus |
| 6 | +documentationcenter: '' |
| 7 | +author: axisc |
| 8 | + |
| 9 | +ms.topic: conceptual |
| 10 | +ms.date: 11/15/2019 |
| 11 | +ms.author: aschhab |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +# Configure customer-managed keys for encrypting Azure Service Bus data at rest by using the Azure portal (Preview) |
| 16 | +Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). Service Bus Premium relies on Azure Storage to store the data and by default, all the data that is stored with Azure Storage is encrypted using Microsoft-managed keys. |
| 17 | + |
| 18 | +## Overview |
| 19 | +Azure Service Bus now supports the option of encrypting data at rest with either Microsoft-managed keys or customer-managed keys (Bring Your Own Key - BYOK). this feature enables you to create, rotate, disable, and revoke access to the customer-managed keys that are used for encrypting Azure Service Bus at rest. |
| 20 | + |
| 21 | +Enabling the BYOK feature is a one time setup process on your namespace. |
| 22 | + |
| 23 | +> [!NOTE] |
| 24 | +> There are some caveats to the customer managed key for service side encryption. |
| 25 | +> * This feature is supported by [Azure Service Bus Premium](service-bus-premium-messaging.md) tier. It cannot be enabled for standard tier Service Bus namespaces. |
| 26 | +> * The encryption can only be enabled for new or empty namespaces. If the namespace contains data, then the encryption operation will fail. |
| 27 | +> * If [Virtual network (VNet) service endpoints](service-bus-service-endpoints.md) are configured on Azure Key Vault for your Service Bus namespace, BYOK will not be supported. |
| 28 | +
|
| 29 | +You can use Azure Key Vault to manage your keys and audit your key usage. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. For more information about Azure Key Vault, see [What is Azure Key Vault?](../key-vault/key-vault-overview.md) |
| 30 | + |
| 31 | +This article shows how to configure a key vault with customer-managed keys by using the Azure portal. To learn how to create a key vault using the Azure portal, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../key-vault/quick-create-portal.md). |
| 32 | + |
| 33 | +> [!IMPORTANT] |
| 34 | +> Using customer-managed keys with Azure Service Bus requires that the key vault have two required properties configured. They are: **Soft Delete** and **Do Not Purge**. These properties are enabled by default when you create a new key vault in the Azure portal. However, if you need to enable these properties on an existing key vault, you must use either PowerShell or Azure CLI. |
| 35 | +
|
| 36 | +## Enable customer-managed keys |
| 37 | +To enable customer-managed keys in the Azure portal, follow these steps: |
| 38 | + |
| 39 | +1. Navigate to your Service Bus Premium namespace. |
| 40 | +2. On the **Settings** page of your Service Bus namespace, select **Encryption (preview)**. |
| 41 | +3. Select the **Customer-managed key encryption at rest** as shown in the following image. |
| 42 | + |
| 43 | +  |
| 44 | + |
| 45 | + |
| 46 | +## Set up a key vault with keys |
| 47 | + |
| 48 | +After you enable customer-managed keys, you need to associate the customer managed key with your Azure Service Bus namespace. Service Bus supports only Azure Key Vault. If you enable the **Encryption with customer-managed key** option in the previous section, you need to have the key imported into Azure Key Vault. Also, the keys must have **Soft Delete** and **Do Not Purge** configured for the key. These settings can be configured using [PowerShell](../key-vault/key-vault-soft-delete-powershell.md) or [CLI](../key-vault/key-vault-soft-delete-cli.md#enabling-purge-protection). |
| 49 | + |
| 50 | +1. To create a new key vault, follow the Azure Key Vault [Quickstart](../key-vault/key-vault-overview.md). For more information about importing existing keys, see [About keys, secrets, and certificates](../key-vault/about-keys-secrets-and-certificates.md). |
| 51 | +1. To turn on both soft delete and purge protection when creating a vault, use the [az keyvault create](/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-create) command. |
| 52 | + |
| 53 | + ```azurecli-interactive |
| 54 | + az keyvault create --name contoso-SB-BYOK-keyvault --resource-group ContosoRG --location westus --enable-soft-delete true --enable-purge-protection true |
| 55 | + ``` |
| 56 | +1. To add purge protection to an existing vault (that already has soft delete enabled), use the [az keyvault update](/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-update) command. |
| 57 | +
|
| 58 | + ```azurecli-interactive |
| 59 | + az keyvault update --name contoso-SB-BYOK-keyvault --resource-group ContosoRG --enable-purge-protection true |
| 60 | + ``` |
| 61 | +1. Create keys by following these steps: |
| 62 | + 1. To create a new key, select **Generate/Import** from the **Keys** menu under **Settings**. |
| 63 | + |
| 64 | +  |
| 65 | +
|
| 66 | + 1. Set **Options** to **Generate** and give the key a name. |
| 67 | +
|
| 68 | +  |
| 69 | +
|
| 70 | + 1. You can now select this key to associate with the Service Bus namespace for encrypting from the drop-down list. |
| 71 | +
|
| 72 | +  |
| 73 | + > [!NOTE] |
| 74 | + > For redundancy, you can add up to 3 keys. In the event that one of the keys has expired, or is not accessible, the other keys will be used for encryption. |
| 75 | + |
| 76 | + 1. Fill in the details for the key and click **Select**. This will enable the encryption of data at rest on the namespace with a customer managed key. |
| 77 | +
|
| 78 | +
|
| 79 | +> [!IMPORTANT] |
| 80 | +> If you are looking to use Customer managed key along with Geo disaster recovery, please review the below - |
| 81 | +> |
| 82 | +> To enable encryption at rest with customer managed key, an [access policy](../key-vault/key-vault-secure-your-key-vault.md) is set up for the Service Bus' managed identity on the specified Azure KeyVault. This ensures controlled access to the Azure KeyVault from the Azure Service Bus namespace. |
| 83 | +> |
| 84 | +> Due to this: |
| 85 | +> |
| 86 | +> * If [Geo disaster recovery](service-bus-geo-dr.md) is already enabled for the Service Bus namespace and you are looking to enable customer managed key, then |
| 87 | +> * Break the pairing |
| 88 | +> * [Set up the access policy](../key-vault/managed-identity.md) for the managed identity for both the primary and secondary namespaces to the key vault. |
| 89 | +> * Set up encryption on the primary namespace. |
| 90 | +> * Re-pair the primary and secondary namespaces. |
| 91 | +> |
| 92 | +> * If you are looking to enable Geo-DR on a Service Bus namespace where customer managed key is already set up, then - |
| 93 | +> * [Set up the access policy](../key-vault/managed-identity.md) for the managed identity for the secondary namespace to the key vault. |
| 94 | +> * Pair the primary and secondary namespaces. |
| 95 | +
|
| 96 | +
|
| 97 | +## Rotate your encryption keys |
| 98 | +
|
| 99 | +You can rotate your key in the key vault by using the Azure Key Vaults rotation mechanism. For more information, see [Set up key rotation and auditing](../key-vault/key-vault-key-rotation-log-monitoring.md). Activation and expiration dates can also be set to automate key rotation. The Service Bus service will detect new key versions and start using them automatically. |
| 100 | +
|
| 101 | +## Revoke access to keys |
| 102 | +
|
| 103 | +Revoking access to the encryption keys won't purge the data from Service Bus. However, the data can't be accessed from the Service Bus namespace. You can revoke the encryption key through access policy or by deleting the key. Learn more about access policies and securing your key vault from [Secure access to a key vault](../key-vault/key-vault-secure-your-key-vault.md). |
| 104 | +
|
| 105 | +Once the encryption key is revoked, the Service Bus service on the encrypted namespace will become inoperable. If the access to the key is enabled or the deleted key is restored, Service Bus service will pick the key so you can access the data from the encrypted Service Bus namespace. |
| 106 | +
|
| 107 | +> [!NOTE] |
| 108 | +> If you delete an existing encryption key from your key vault and replace it with a new key on the Service Bus namespace, since the delete key is still valid (as it is cached) for up to an hour, your old data (which was encrypted with the old key) may still be accessible along with the new data, which is now accessible only using the new key. This behavior is by design in the preview version of the feature. |
| 109 | +
|
| 110 | +## Next steps |
| 111 | +See the following articles: |
| 112 | +- [Service Bus overview](service-bus-messaging-overview.md) |
| 113 | +- [Key Vault overview](../key-vault/key-vault-overview.md) |
| 114 | +
|
| 115 | +
|
0 commit comments