You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cosmos-db/postgresql/how-to-customer-managed-keys.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ ms.date: 04/06/2023
34
34
35
35
## Detailed steps
36
36
37
-
1.### User Assigned Managed Identity
37
+
### User Assigned Managed Identity
38
38
39
39
1. Search for Managed Identities in the global search bar.
40
40
@@ -54,7 +54,7 @@ ms.date: 04/06/2023
54
54
55
55
1. If you create a new Azure Key Vault instance, enable these properties during creation:
56
56
57
-
[](media/how-to-customer-managed-keys/key-vault-soft-delete.png#lightbox)
57
+
[](media/how-to-customer-managed-keys/key-vault-soft-delete.png#lightbox)
58
58
59
59
1. If you're using an existing Azure Key Vault instance, you can verify that these properties are enabled by looking at the Properties section on the Azure portal. If any of these properties aren’t enabled, see the "Enabling soft delete" and "Enabling Purge Protection" sections in one of the following articles.
60
60
@@ -70,13 +70,13 @@ ms.date: 04/06/2023
70
70
71
71
1. From the Azure portal, go to the Azure Key Vault instance that you plan to use to host your encryption keys. Select Access configuration from the left menu and then select Go to access policies.
72
72
73
-
[](media/how-to-customer-managed-keys/access-policy.png#lightbox)
73
+
[](media/how-to-customer-managed-keys/access-policy.png#lightbox)
74
74
75
75
1. Select + Create.
76
76
77
77
1. In the Permissions Tab under the Key permissions drop-down menu, select Get, Unwrap Key, and Wrap Key permissions.
78
78
79
-
[] (media/how-to-customer-managed-keys/access-policy-permissions.png#lightbox)
79
+
[] (media/how-to-customer-managed-keys/access-policy-permissions.png#lightbox)
80
80
81
81
1. In the Principal Tab, select the User Assigned Managed Identity you had created in prerequisite step.
82
82
@@ -88,7 +88,7 @@ ms.date: 04/06/2023
88
88
89
89
1. Select Keys from the left menu and then select +Generate/Import.
90
90
91
-
[](media/how-to-customer-managed-keys/create-key.png#lightbox)
91
+
[](media/how-to-customer-managed-keys/create-key.png#lightbox)
92
92
93
93
1. The customer-managed key to be used for encrypting the DEK can only be asymmetric RSA Key type. All RSA Key sizes 2048, 3072 and 4096 are supported.
94
94
@@ -100,7 +100,7 @@ ms.date: 04/06/2023
100
100
101
101
1. If you're manually rotating the key, the old key version shouldn't be deleted for at least 24 hours.
102
102
103
-
1.### Enable CMK encryption during the provisioning for a new cluster
103
+
### Enable CMK encryption during the provisioning for a new cluster
104
104
105
105
# [Portal](#tab/portal)
106
106
@@ -116,7 +116,7 @@ ms.date: 04/06/2023
116
116
1. Select the Key created in the previous step, and then select Review+create.
117
117
118
118
1. Verify that CMK is encryption is enabled by Navigating to the Data Encryption(preview) blade of the Cosmos DB for PostgreSQL cluster in the Azure portal.
119
-
119
+
120
120
121
121
> [!NOTE]
122
122
> Data encryption can only be configured during the creation of a new cluster and can't be updated on an existing cluster. A workaround for updating the encryption configuration on an existing cluster is to restore an existing PITR backup to a new cluster and configure the data encryption during the creation of the newly restored cluster.
0 commit comments