You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/concept-customer-managed-keys.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,10 +47,11 @@ In addition to customer-managed keys, Azure Machine Learning also provides a [hb
47
47
* After workspace creation, the customer-managed encryption key for resources the workspace depends on can only be updated to another key in the original Azure Key Vault resource.
48
48
* Encrypted data will be stored on resources that live in a Microsoft-managed resource group in your subscription. You cannot create these resource upfront or transfer ownership of these to you. Data lifecycle is managed indirectly via the Azure ML APIs as you create objects in Azure Machine Learning service.
49
49
* You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your workspace.
50
+
* The compute cluster OS disk cannot be encrypted using your customer-managed keys, but only Microsoft-managed keys.
50
51
51
52
## How and what workspace metadata is stored
52
53
53
-
When you bring your own encryption key, service metadata will be stored on dedicated resources in your Azure subscription. Microsoft creates a seperate resource group in your subscription for this named 'azureml-rg-<workspacename>_<GUID>'. Resource in this managed resource group can only be modified by Microsoft. Additional networking controls are configured when you create a private link endpoint on your workspace.
54
+
When you bring your own encryption key, service metadata will be stored on dedicated resources in your Azure subscription. Microsoft creates a seperate resource group in your subscription for this named *"azureml-rg-workspacename_GUID"*. Resource in this managed resource group can only be modified by Microsoft. Additional networking controls are configured when you create a private link endpoint on your workspace.
54
55
55
56
The following resources are created and store metadata for your workspace:
56
57
@@ -106,9 +107,12 @@ Azure Machine Learning uses compute resources to train and deploy machine learni
106
107
:::moniker-end
107
108
108
109
**Compute cluster**
109
-
The OS disk for each compute node stored in Azure Storage is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. This compute target is ephemeral, and clusters are typically scaled down when no jobs are queued. The underlying virtual machine is de-provisioned, and the OS disk is deleted. Azure Disk Encryption isn't supported for the OS disk.
110
110
111
-
Each virtual machine also has a local temporary disk for OS operations. If you want, you can use the disk to stage training data. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the temporary disk is encrypted. This environment is short-lived (only during your job) and encryption support is limited to system-managed keys only.
111
+
Compute clusters have local OS disk storage and can mount data from storage accounts in your subscription for the duration of the job.
112
+
113
+
When mounting data from your own storage account in a job, you can enable customer-managed keys on those storage account for encryption.
114
+
115
+
The OS disk for each compute node stored in Azure Storage is always encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts, and not using customer-managed keys. This compute target is ephemeral, and hence data that is stored on the OS disk is deleted once the cluster scales down. Clusters are typically scaled down when no jobs are queued, auto-scaling is on and the minimum node count is set to zero. The underlying virtual machine is de-provisioned, and the OS disk is deleted. Azure Disk Encryption isn't supported for the OS disk. Each virtual machine also has a local temporary disk for OS operations. If you want, you can use the disk to stage training data. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the temporary disk is encrypted. This environment is short-lived (only during your job) and encryption support is limited to system-managed keys only.
112
116
113
117
**Compute instance**
114
118
The OS disk for compute instance is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the local temporary disk on compute instance is encrypted with Microsoft managed keys. Customer managed key encryption isn't supported for OS and temp disk.
0 commit comments