Configure customer-managed keys for your existing Azure Cosmos DB accounts!
Encryption options for data at rest on Azure Cosmos DB that is available today.
Azure Cosmos DB strives to provide the best-in-class security features. Encryption of data at rest is one such important security feature. Encryption of data at rest using Microsoft’s service-managed keys is enabled by default.
In addition to this default encryption, Azure Cosmos DB allows customers to add a second layer of encryption using customer-managed keys or CMK. Currently, this feature is available only during new account creation.
We are excited to announce the public preview for enabling Customer Managed Keys (CMK) on your existing Azure Cosmos DB account.
How does this feature help?
Many of our customers wanted to extend encryption at rest with CMK offering on their existing accounts to increase the security posture, in place, as is where is condition, without the migration overheads. This means:
- Customers fully control data access. Customers are able to bring their own key (BYOK) to enable the separation of duties in the management of keys and data.
- Full control over key life cycle, including rotating keys per corporate security policies.
- Central management of keys using Azure Key Vault.
This is a completely online process, which means that there is no downtime. Encryption of existing data happens in the background. Applications can continue to use the Azure Cosmos DB account to reads and writes.
Important considerations to keep in mind.
- Enabling CMK will kick off a background, asynchronous process to encrypt all the data. There is no need to wait for the asynchronous operation to succeed. The enablement process will consume unused/spare RUs so that it does not affect your read/write workloads. However, the completion of this asynchronous operation depends on sufficient leftover RUs being available. We suggest enabling CMK during off-peak hours and if applicable you can increase RU’s before enabling CMK.
- Any pre-requisite required to enable CMK on a new account – as described in this article – also applies when enabling CMK on existing accounts.
- As you would expect, enabling CMK is accompanied by a slight increase in data size and a slight increase in RUs to accommodate extra encryption/decryption processing.
- We suggest you to backup the data prior to enabling CMK.
- We also recommend testing all scenarios first on non-production accounts.
- Data encryption using CMK cannot be reversed. Data encryption happens in batches. You can monitor the encryption progress and completion status.
Are there any limitations?
- Enabling CMK is available only at a Cosmos DB account level and not at collections.
- We do not support enabling CMK on existing Azure Cosmos DB for Apache Cassandra accounts.
- Existing accounts that are enabled for Materialized Views and Full Fidelity Change Feed (FFCF) are presently not supported for CMK.
- Please ensure the account does not have documents with large ids greater than 990 bytes before enabling CMK. If not, you will get an error due to the max supported limit of 1024 bytes after encryption.
- Control plane actions such as “add region” will be blocked during the encryption of existing data. These actions are unblocked and can be used right after the encryption is complete.
We would love to have you onboard and preview this feature. Please go through the Azure Cosmos DB to enable CMK on existing accounts documentation for the next steps.
Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development with SLA-backed speed and availability, automatic and instant scalability, and support for open-source PostgreSQL, MongoDB and Apache Cassandra. Try Azure Cosmos DB for free here. To stay in the loop on Azure Cosmos DB updates, follow us on Twitter, YouTube, and LinkedIn.