You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2. Select the **Key Permissions** select **Get**, **Wrap**, **Unwrap** and the **Principal** which is the name of the MySQL server.
42
+
2. Select the **Key Permissions** select **Get**, **Wrap**, **Unwrap** and the **Principal**, which is the name of the MySQL server. If your server principal can't be found in the list of existing principals, you will need to register it by attempting to set up Data Encryption for the first time, which will fail.
@@ -58,9 +57,9 @@ In this article, you will learn how to set up and manage to use the Azure portal
58
57
59
58
3. **Save** the settings.
60
59
61
-
4. To ensure all files (including temp files) are full encrypted, a server restart is required.
60
+
4. To ensure all files (including **temp files**) are full encrypted, a server **restart** is **required**.
62
61
63
-
## Restoring or creating replica of the server which has Data Encryption enabled
62
+
## Restoring or creating replica of the server, which has Data Encryption enabled
64
63
65
64
Once an Azure Database for MySQL is encrypted with customer's managed key stored in the Key Vault, any newly created copy of the server either though local or geo-restore operation or a replica (local/cross-region) operation. So for an encrypted MySQL server, you can follow the steps below to create an encrypted restored server.
66
65
@@ -76,17 +75,19 @@ Once an Azure Database for MySQL is encrypted with customer's managed key stored
76
75
77
76
78
77
79
-
3. To fix Inaccessible state, you need to revalidate the key on the restored server.
78
+
3. To fix Inaccessible state, you need to revalidate the key on the restored server. Click on the **Data Encryption** blade and then the **Revalidate key** button.
79
+
80
+
> [!NOTE]
81
+
> The first attempt to revalidate will fail since the new server's service principal needs to be given access to the key vault. To generate the service principal click on **Revalidate key**, which will give error but generates the service principal. Thereafter, refer to steps [in section 2](https://docs.microsoft.com/azure/mysql/howto-data-encryption-portal#setting-the-right-permissions-for-key-operations) above.
Copy file name to clipboardExpand all lines: articles/postgresql/howto-data-encryption-portal.md
+9-8Lines changed: 9 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,10 +12,9 @@ ms.date: 01/10/2020
12
12
13
13
In this article, you will learn how to set up and manage to use the Azure portal to set up Data Encryption for your Azure Database for PostgreSQL Single server.
14
14
15
-
## Prerequisites for PowerShell
15
+
## Prerequisites for CLI
16
16
17
17
* You must have an Azure subscription and be an administrator on that subscription.
18
-
* You must have Azure PowerShell installed and running.
19
18
* Create an Azure Key Vault and Key to use for customer-managed key.
20
19
* The Key vault must have the following property to use as a customer-managed key
2. Under the **Key Permissions** select **Get**, **Wrap**, **Unwrap** and the **Principal** which is the name of the PostgreSQL server.
43
+
2. Under the **Key Permissions** select **Get**, **Wrap**, **Unwrap** and the **Principal**, which is the name of the PostgreSQL server. If your server principal can't be found in the list of existing principals, you will need to register it by attempting to set up Data Encryption for the first time, which will fail.
@@ -59,9 +58,9 @@ In this article, you will learn how to set up and manage to use the Azure portal
59
58
60
59
3. **Save** the settings.
61
60
62
-
4. To ensure all files (including temp files) are full encrypted, a server restart is required.
61
+
4. To ensure all files (including **temp files**) are full encrypted, a server **restart** is **required**.
63
62
64
-
## Restoring or creating replica of the server which has data encryption enabled
63
+
## Restoring or creating replica of the server, which has data encryption enabled
65
64
66
65
Once an Azure Database for PostgreSQL Single server is encrypted with customer's managed key stored in the Key Vault, any newly created copy of the server either though local or geo-restore operation or a replica (local/cross-region) operation. So for an encrypted PostgreSQL server, you can follow the steps below to create an encrypted restored server.
67
66
@@ -78,17 +77,19 @@ Once an Azure Database for PostgreSQL Single server is encrypted with customer's
78
77
79
78
80
79
81
-
3. To fix Inaccessible state, you need to revalidate the key on the restored server.
80
+
3. To fix Inaccessible state, you need to revalidate the key on the restored server. Click on the **Data Encryption** blade and then the **Revalidate key** button.
81
+
82
+
> [!NOTE]
83
+
> The first attempt to revalidate will fail since the new server's service principal needs to be given access to the key vault. To generate the service principal click on **Revalidate key**, which will give error but generates the service principal. Thereafter, refer to steps [in section 2](https://docs.microsoft.com/azure/postgresql/howto-data-encryption-portal#setting-the-right-permissions-for-key-operations) above.
0 commit comments