Enhanced encryption at rest with customer-managed keys

Thomas Weiss

Today, we are excited to announce the general availability of encryption at rest with customer-managed keys on Azure Cosmos DB. This new capability enhances our enterprise-grade security and compliance offering.

Businesses often move their applications to the cloud for increased agility, elasticity and cost-effectiveness. But as they transition to managed platforms, they also need to maintain their expectations in terms of core security. In many industries, regulations and compliance obligations require the use of databases that not only encrypt data at rest, but do so by using encryption keys that end-users can control. While encryption at rest has been a default feature on Azure Cosmos DB for many years now, it is performed with service-managed keys, automatically and transparently managed by Microsoft. Customer-managed keys don’t disable this default encryption. Instead, they add a second layer of encryption on top of the default one.

Layers of encryption around customer data

This means that customer-managed keys also deliver double encryption, a feature that is sometimes part of the same compliance requirements.

Using Azure Key Vault as the key store

Customer-managed keys must be generated or imported in Azure Key Vault, a secure storage service for keys, secrets and certificates. Azure Key Vault streamlines key management and gives you full control to manage and audit key access.

Creating a new Azure Cosmos DB account with customer-managed keys

Simply provide the key’s URI from Azure Key Vault when creating a new Azure Cosmos DB account. This can be done from the Azure Portal, or programmatically using Azure Resource Manager templates, PowerShell or the Azure CLI.

Setting CMK parameters in the Azure portal

Get started

0 comments

Discussion is closed.

Feedback usabilla icon