{"id":10828,"date":"2025-08-14T08:21:01","date_gmt":"2025-08-14T15:21:01","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=10828"},"modified":"2025-09-08T08:47:12","modified_gmt":"2025-09-08T15:47:12","slug":"data-encryption-with-customer-managed-key-cmk-for-azure-cosmos-db-for-mongodb-vcore","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/data-encryption-with-customer-managed-key-cmk-for-azure-cosmos-db-for-mongodb-vcore\/","title":{"rendered":"Data encryption with customer-managed key (CMK) for Azure Cosmos DB for MongoDB vCore"},"content":{"rendered":"<h1><span style=\"font-family: arial, helvetica, sans-serif;\">Built-in security for every configuration<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><strong>Azure Cosmos DB for MongoDB vCore<\/strong> is designed with security as a foundational principle. Regardless of how your cluster is configured\u2014whether it&#8217;s a single-node deployment or a multi-shard architecture\u2014your data is always <strong>encrypted at rest<\/strong> using the <strong>AES-256 cipher<\/strong>, one of the most trusted and widely adopted encryption standards.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">This encryption is automatically handled using a <strong>service-managed key (SMK)<\/strong>. There\u2019s no setup required, no toggle to enable\u2014it\u2019s always on. SMK-based encryption ensures that your data is protected by default, delivering all the benefits of AES-256 encryption, including compliance with industry standards such as ISO\/IEC 27001, HIPAA, and GDPR.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><em>Note<\/em>: Customer-managed key (CMK) is now generally available (GA) in Azure Cosmos DB for MongoDB vCore.<\/span><\/p>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">Introducing customer-managed key (CMK) support<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">For organizations that require <strong>greater control over their encryption strategy<\/strong>, Azure Cosmos DB for MongoDB vCore now supports <strong>customer-managed keys (CMK)<\/strong>. This feature allows customers to <strong>own and manage the encryption keys<\/strong> used to protect their data\u2014adding a layer of control and flexibility on top of the default SMK.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">Here\u2019s how it works:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">CMK is used to <strong>encrypt the SMK<\/strong>, which in turn encrypts the data at rest.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">This means customers retain <strong>full control over access to their data<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">If a customer <strong>revokes the CMK<\/strong>, the SMK becomes inaccessible, and the data in the cluster is rendered unreadable.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">This capability is especially valuable for organizations with strict compliance requirements, internal security policies, or a need to enforce key lifecycle management.<\/span><\/p>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">Where CMK is supported<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">CMK encryption is available across multiple cluster types:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\"><strong>Primary (read-write) clusters<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\"><strong>Replica clusters<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\"><strong>Restored clusters<\/strong><\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">You can choose to enable CMK on <strong>all<\/strong> your Azure Cosmos DB for MongoDB vCore clusters or selectively apply it to specific clusters based on your security needs. This flexibility allows you to tailor your encryption strategy to different environments, use cases, or compliance zones.<\/span><\/p>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">Versionless key model for seamless rotation<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">Azure Cosmos DB for MongoDB vCore uses a <strong>versionless key model<\/strong> for CMK. This means:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">The cluster always uses the <strong>latest version<\/strong> of the specified key stored in <strong>Azure Key Vault<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">You don\u2019t need to manually update the key reference in the cluster configuration.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Simply configure <strong>key auto-rotation<\/strong> in Azure Key Vault, and the cluster will automatically use the most recent version.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">This approach simplifies key management while ensuring that your encryption strategy remains up to date and aligned with best practices. It also reduces operational overhead and minimizes the risk of misconfiguration during key updates.<\/span><\/p>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">How customer-managed key (CMK) works<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\"><strong>Azure Cosmos DB for MongoDB vCore<\/strong> uses <strong>Azure Key Vault<\/strong> to store the <strong>customer-managed key (CMK)<\/strong>, which is used to encrypt the <strong>service-managed key (SMK)<\/strong>. The SMK, in turn, encrypts the data within the cluster. A <strong>managed identity<\/strong> in <strong>Microsoft Entra ID<\/strong> is used to access the customer\u2019s encryption key stored in Azure Key Vault.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">The following diagram illustrates how these components interact to provide you full control over data encryption in Azure Cosmos DB for MongoDB vCore.<\/span><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-10832\" src=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram.png\" alt=\"Azure Cosmos DB for MongoDB vCore -customer managed key CMK diagram\" width=\"1740\" height=\"702\" srcset=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram.png 1740w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram-300x121.png 300w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram-1024x413.png 1024w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram-768x310.png 768w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/Azure-Cosmos-DB-for-MongoDB-vCore-customer-managed-key-CMK-diagram-1536x620.png 1536w\" sizes=\"(max-width: 1740px) 100vw, 1740px\" \/><\/a><\/p>\n<p><em><span style=\"font-family: arial, helvetica, sans-serif; font-size: 10pt;\">Figure 1. Customer-managed key (CMK) flow in Azure Cosmos DB for MongoDB vCore.<\/span><\/em><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">The following list explains the numbered steps in the diagram:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">An Azure Key Vault admin grants permissions to encryption keys stored in key vault to a managed identity in Microsoft Entra ID.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">An Azure Cosmos DB for MongoDB vCore administrator configures encryption with a customer-managed key (CMK) for the cluster.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Azure Cosmos DB for MongoDB vCore uses the managed identity configured in step 1 to authenticate to Azure Key Vault via Microsoft Entra ID.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Azure Cosmos DB for MongoDB vCore wraps the cluster storage encryption key with the customer-managed key in Azure Key Vault.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">For read\/write operations, Azure Cosmos DB for MongoDB vCore sends requests to Azure Key Vault to unwrap the cluster data encryption key to perform encryption and decryption operations.<\/span><\/li>\n<\/ol>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">How to set up data encryption with customer-managed key on an Azure Cosmos DB for MongoDB vCore cluster<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">You can enable CMK during <strong>new cluster provisioning<\/strong>, <strong>replica cluster creation<\/strong>, or when requesting a <strong>cluster restore<\/strong>. Once a CMK-enabled cluster is created, you can configure CMK settings such as the <strong>user-assigned managed identity<\/strong> and the <strong>encryption key<\/strong> to be used.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">To set up CMK on an Azure Cosmos DB for MongoDB vCore cluster, you\u2019ll need the following:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">A <strong>user-assigned managed identity<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">An <strong>Azure Key Vault<\/strong> with <a href=\"https:\/\/learn.microsoft.com\/azure\/cosmos-db\/mongodb\/vcore\/database-encryption-at-rest#cmk-requirements\">specific configuration settings<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">An <strong>asymmetric or RSA encryption key<\/strong> in enabled state within the Azure Key Vault. You can import an existing encryption key and use it for your cluster\u2019s data encryption.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\"><a href=\"https:\/\/learn.microsoft.com\/azure\/cosmos-db\/mongodb\/vcore\/database-encryption-at-rest#cmk-requirements\"><strong>Permissions<\/strong> granted<\/a> to the user-assigned managed identity to access the Azure Key Vault where the encryption key is stored<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">It\u2019s important that the <strong>cluster<\/strong>, <strong>user-assigned managed identity<\/strong>, and <strong>Azure Key Vault<\/strong> are located in the <strong>same Azure region<\/strong> and within the<a href=\"https:\/\/learn.microsoft.com\/entra\/identity-platform\/developer-glossary#tenant\"> <strong>same Microsoft Entra tenant<\/strong><\/a>.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">Once all components are in place, you\u2019re ready to configure CMK during cluster provisioning. Follow these steps:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Fill in the required information on the <strong>Basics<\/strong> tab.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Navigate to the <strong>Encryption<\/strong> tab.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Select <strong>Customer-managed key<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Specify the <strong>user-assigned managed identity<\/strong> to access the encryption key.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\"><span style=\"font-family: arial, helvetica, sans-serif;\">Select the <strong>Azure Key Vault<\/strong> and the <strong>encryption key<\/strong> to be used.<\/span><\/span><span style=\"font-family: arial, helvetica, sans-serif;\"><span style=\"font-family: arial, helvetica, sans-serif;\"><em><a href=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections.png\"><img decoding=\"async\" class=\"alignnone size-full wp-image-10833\" src=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections.png\" alt=\"Azure Cosmos DB for MongoDB vCore cluster create with customer-managed key (CMK) encryption tab in Azure portal with selection made\" width=\"1279\" height=\"1324\" srcset=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections.png 1279w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections-290x300.png 290w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections-989x1024.png 989w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections-768x795.png 768w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2025\/08\/create-cluster-customer-managed-key-encryption-tab-with-selections-24x24.png 24w\" sizes=\"(max-width: 1279px) 100vw, 1279px\" \/><\/a>\nFigure 2. CMK configuration during cluster provisioning in Azure portal.<\/em><\/span><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif;\">Go to the <strong>Review + create<\/strong> tab and click <strong>Create<\/strong>.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">After the cluster is created, open its properties and verify on the <strong>Overview<\/strong> page that <strong>data encryption with customer-managed key<\/strong> is enabled.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">You can use Azure portal, Azure CLI, Azure SDKs, or REST APIs to perform all management operations for CMK in Azure Cosmos DB for MongoDB vCore.<\/span><\/p>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">Next steps<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">To learn more and get started with CMK in Azure Cosmos DB for MongoDB vCore, explore the official documentation:<\/span><\/p>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/cosmos-db\/mongodb\/vcore\/database-encryption-at-rest\"><span style=\"font-family: arial, helvetica, sans-serif;\">Data encryption with customer-managed key (CMK) fundamentals<\/span><\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/cosmos-db\/mongodb\/vcore\/how-to-data-encryption\"><span style=\"font-family: arial, helvetica, sans-serif;\">How to manage data encryption with customer-managed key in Azure Cosmos for MongoDB vCore<\/span><\/a><\/li>\n<\/ul>\n<h1><span style=\"font-family: arial, helvetica, sans-serif;\">About Azure Cosmos DB<\/span><\/h1>\n<p><span style=\"font-family: arial, helvetica, sans-serif;\">Azure Cosmos DB is a fully managed and serverless distributed database for modern app development, with SLA-backed speed and availability, automatic and instant scalability, and support for open-source PostgreSQL, MongoDB, and Apache Cassandra. To stay in the loop on Azure Cosmos DB updates, follow us on\u00a0<a href=\"https:\/\/twitter.com\/AzureCosmosDB\">X<\/a>,\u00a0<a href=\"https:\/\/aka.ms\/AzureCosmosDBYouTube\">YouTube<\/a>, and\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/azure-cosmos-db\/\">LinkedIn<\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Built-in security for every configuration Azure Cosmos DB for MongoDB vCore is designed with security as a foundational principle. Regardless of how your cluster is configured\u2014whether it&#8217;s a single-node deployment or a multi-shard architecture\u2014your data is always encrypted at rest using the AES-256 cipher, one of the most trusted and widely adopted encryption standards. This [&hellip;]<\/p>\n","protected":false},"author":103349,"featured_media":10831,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[15,13,667],"tags":[],"class_list":["post-10828","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mongodb-api","category-news","category-security"],"acf":[],"blog_post_summary":"<p>Built-in security for every configuration Azure Cosmos DB for MongoDB vCore is designed with security as a foundational principle. Regardless of how your cluster is configured\u2014whether it&#8217;s a single-node deployment or a multi-shard architecture\u2014your data is always encrypted at rest using the AES-256 cipher, one of the most trusted and widely adopted encryption standards. This [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/10828","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/users\/103349"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/comments?post=10828"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/10828\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media\/10831"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media?parent=10828"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/categories?post=10828"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/tags?post=10828"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}