You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/event-hubs/configure-customer-managed-key.md
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,9 +33,8 @@ After you enable customer-managed keys, you need to associate the customer manag
33
33
34
34
### Create key vault or key vault managed HSM
35
35
36
-
37
-
> [!IMPORTANT]
38
-
> Using customer-managed keys with Azure Event Hubs requires that the key vault have two required properties configured. They are: **Soft Delete** and **Do Not Purge**. These properties are enabled by default when you create a new key vault in the Azure portal. However, if you need to enable these properties on an existing key vault, you must use either PowerShell or Azure CLI.
36
+
> [!IMPORTANT]
37
+
> Using customer-managed keys with Azure Event Hubs requires that the key vault have two required properties configured. They are: **Soft Delete** and **Do Not Purge**. These properties are enabled by default when you create a new key vault in the Azure portal. However, if you need to enable these properties on an existing key vault, you must use either PowerShell or Azure CLI.
39
38
40
39
# [Key Vault](#tab/Key-Vault)
41
40
@@ -671,10 +670,10 @@ You can rotate your key in the key vault by using the Azure Key Vaults rotation
671
670
### Revoke access to keys
672
671
Revoking access to the encryption keys won't purge the data from Event Hubs. However, the data can't be accessed from the Event Hubs namespace. You can revoke the encryption key through access policy or by deleting the key. Learn more about access policies and securing your key vault from [Secure access to a key vault](/azure/key-vault/general/security-features).
673
672
674
-
Once the encryption key is revoked, the Event Hubs service on the encrypted namespace becomes inoperable. If the access to the key is enabled or the delete key is restored, Event Hubs service will pick the key so you can access the data from the encrypted Event Hubs namespace.
673
+
Once the encryption key is revoked, the Event Hubs service on the encrypted namespace becomes inoperable. If the access to the key is enabled or the delete key is restored, Event Hubs service picks the key so you can access the data from the encrypted Event Hubs namespace.
675
674
676
675
### Caching of keys
677
-
The Event Hubs instance (event hub) polls its listed encryption keys every 5 minutes. It caches and uses them until the next poll, which is after 5 minutes. As long as at least one key is available, the event hub is accessible. If all listed keys are inaccessible when it polls, all event hubs will become unavailable.
676
+
The Event Hubs instance (event hub) polls its listed encryption keys every 5 minutes. It caches and uses them until the next poll, which is after 5 minutes. As long as at least one key is available, the event hub is accessible. If all listed keys are inaccessible when it polls, all event hubs become unavailable.
678
677
679
678
Here are more details:
680
679
@@ -693,12 +692,12 @@ To enable encryption of Microsoft-managed key with a customer managed key, an [a
693
692
694
693
Due to this:
695
694
696
-
- If [Geo disaster recovery](event-hubs-geo-dr.md) is already enabled for the Event Hubs namespace and you are looking to enable customer managed key, then
695
+
- If [Geo disaster recovery](event-hubs-geo-dr.md) is already enabled for the Event Hubs namespace and you're looking to enable customer managed key, then
697
696
- Break the pairing.
698
697
-[Set up the access policy](/azure/key-vault/general/assign-access-policy-portal) for the system-assigned managed identity for both the primary and secondary namespaces to the key vault.
699
698
- Set up encryption on the primary namespace.
700
699
- Re-pair the primary and secondary namespaces.
701
-
- If you are looking to enable Geo-DR on an Event Hubs namespace where customer-managed key is already set up, then follow these steps:
700
+
- If you're looking to enable Geo-DR on an Event Hubs namespace where customer-managed key is already set up, then follow these steps:
702
701
-[Set up the access policy](/azure/key-vault/general/assign-access-policy-portal) for the managed identity for the secondary namespace to the key vault.
703
702
- Pair the primary and secondary namespaces.
704
703
@@ -711,7 +710,7 @@ Here are a few recommendations:
711
710
712
711
Conditions for enabling Geo-DR and Encryption with User-Assigned Identities:
713
712
714
-
1. Secondary namespace must already have Encryption enabled with a User-Assigned identity if it is to be paired with a primary namespace that has Encryption enabled.
713
+
1. Secondary namespace must already have Encryption enabled with a User-Assigned identity if it's to be paired with a primary namespace that has Encryption enabled.
715
714
2. It isn't possible to enable Encryption on an already paired primary, even if the secondary has a User-Assigned identity associated with the namespace.
0 commit comments