{"id":6384,"date":"2024-05-09T07:00:24","date_gmt":"2024-05-09T14:00:24","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=6384"},"modified":"2024-05-09T10:07:10","modified_gmt":"2024-05-09T17:07:10","slug":"configure-customer-managed-keys-for-your-existing-azure-cosmos-db-accounts","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/configure-customer-managed-keys-for-your-existing-azure-cosmos-db-accounts\/","title":{"rendered":"Configure customer-managed keys for your existing Azure Cosmos DB accounts!"},"content":{"rendered":"<h2><img decoding=\"async\" width=\"626\" height=\"417\" class=\"wp-image-6627 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2023\/08\/free-vector-abstract-secure-technology-background-1.jpeg\" alt=\"Free vector abstract secure technology background with circuit\" srcset=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2023\/08\/free-vector-abstract-secure-technology-background-1.jpeg 626w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2023\/08\/free-vector-abstract-secure-technology-background-1-300x200.jpeg 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/><\/h2>\n<h2>Encryption options for data at rest on Azure Cosmos DB that is available today.<\/h2>\n<p>Azure Cosmos DB strives to provide the best-in-class security features. Encryption of data at rest is one such important security feature. Encryption of data at rest using Microsoft&#8217;s service-managed keys is enabled by default.<\/p>\n<p>In addition to this default encryption, Azure Cosmos DB allows customers to add a second layer of encryption using customer-managed keys or CMK. Currently, this feature is available only during new account creation.<\/p>\n<h2>New announcement!<\/h2>\n<p>We are excited to announce General Availability (GA) for enabling <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/cosmos-db\/how-to-setup-customer-managed-keys-existing-accounts\">Customer Managed Keys (CMK) on your existing Azure Cosmos DB account<\/a>.<\/p>\n<h2>How does this feature help?<\/h2>\n<p>Many of our customers wanted to extend encryption at rest with CMK offering on their existing accounts to increase the security posture, in place, as is where is condition, without the migration overheads. This means:<\/p>\n<ul>\n<li>Customers fully control data access. Customers are able to bring their own key (BYOK) to enable the separation of duties in the management of keys and data.<\/li>\n<li>Full control over key life cycle, including rotating keys per corporate security policies.<\/li>\n<li>Central management of keys using Azure Key Vault.<\/li>\n<\/ul>\n<p>This is a completely online process, which means that there is no downtime. Encryption of existing data happens in the background. Applications can continue to use the Azure Cosmos DB account to reads and writes.<\/p>\n<h2>Important considerations to keep in mind.<\/h2>\n<ul>\n<li>Enabling CMK will kick off a background, asynchronous process to encrypt all the data. There is no need to wait for the asynchronous operation to succeed. The enablement process will consume unused\/spare RUs so that it does not affect your read\/write workloads. However, the completion of this asynchronous operation depends on sufficient leftover RUs being available. We suggest enabling CMK during off-peak hours and if applicable you can increase RU\u2019s before enabling CMK.<\/li>\n<li>Any pre-requisite required to enable CMK on a new account \u2013 as described in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/cosmos-db\/how-to-setup-customer-managed-keys?tabs=azure-portal#prerequisites\" target=\"_blank\" rel=\"noopener\">this article<\/a> \u2013 also applies when enabling CMK on existing accounts.<\/li>\n<li>As you would expect, enabling CMK is accompanied by a slight increase in data size and a slight increase in RUs to accommodate extra encryption\/decryption processing.<\/li>\n<li>We suggest you to backup the data prior to enabling CMK.<\/li>\n<li>We also recommend testing all scenarios and familiarize yourself first on non-production accounts.<\/li>\n<li>Data encryption using CMK cannot be reversed. Data encryption happens in batches. You can monitor the encryption progress and completion status.<\/li>\n<\/ul>\n<h2>Are there any limitations?<\/h2>\n<ul>\n<li>Enabling CMK is available only at a Cosmos DB account level and not at collections.<\/li>\n<li>We do not support enabling CMK on existing Azure Cosmos DB for Apache Cassandra accounts.<\/li>\n<li>Existing accounts that are enabled for Materialized Views and Full Fidelity Change Feed (FFCF) are presently not supported for CMK.<\/li>\n<li>Please ensure the account does not have documents with large ids greater than 990 bytes before enabling CMK. If not, you will get an error due to the max supported limit of 1024 bytes after encryption. <span class=\"TextRun SCXW14788768 BCX8\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW14788768 BCX8\">To verify if your account is compliant, you can use the provided console application\u00a0<\/span><\/span><a class=\"Hyperlink SCXW14788768 BCX8\" href=\"https:\/\/github.com\/AzureCosmosDB\/Cosmos-DB-Non-CMK-to-CMK-Migration-Scanner\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun SCXW14788768 BCX8\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW14788768 BCX8\" data-ccp-charstyle=\"Hyperlink\">hosted here<\/span><\/span><\/a><span class=\"TextRun SCXW14788768 BCX8\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW14788768 BCX8\"> to scan your account.<\/span><\/span><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/cosmos-db\/audit-control-plane-logs#control-plane-operations-for-azure-cosmos-db-account\">Control plane<\/a> actions such as &#8220;add region&#8221; will be blocked during the encryption of existing data. These actions are unblocked and can be used right after the encryption is complete.<\/li>\n<\/ul>\n<h2>Next steps<\/h2>\n<p>We would love to have you onboard and enable CMK on your existing accounts. Please go through the Azure Cosmos DB to enable CMK on existing accounts <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/cosmos-db\/how-to-setup-customer-managed-keys-existing-accounts\">documentation<\/a> for the next steps.<\/p>\n<p><a href=\"https:\/\/azure.microsoft.com\/en-us\/products\/cosmos-db\/\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">Azure Cosmos DB<\/span><\/a><span data-contrast=\"none\"> is a fully managed NoSQL and relational database for modern app development with SLA-backed speed and availability, automatic and instant scalability, and support for open-source PostgreSQL, MongoDB and Apache Cassandra.\u00a0<\/span><a href=\"https:\/\/cosmos.azure.com\/try\/\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">Try Azure Cosmos DB for free here<\/span><\/a><span data-contrast=\"none\">. To stay in the loop on Azure Cosmos DB updates, follow us on\u00a0<\/span><a href=\"https:\/\/twitter.com\/AzureCosmosDB\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">Twitter<\/span><\/a><span data-contrast=\"none\">,\u00a0<\/span><a href=\"https:\/\/www.youtube.com\/AzureCosmosDB\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">YouTube<\/span><\/a><span data-contrast=\"none\">, and\u00a0<\/span><a href=\"https:\/\/www.linkedin.com\/company\/azure-cosmos-db\/\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">LinkedIn<\/span><\/a><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Encryption options for data at rest on Azure Cosmos DB that is available today. Azure Cosmos DB strives to provide the best-in-class security features. Encryption of data at rest is one such important security feature. Encryption of data at rest using Microsoft&#8217;s service-managed keys is enabled by default. In addition to this default encryption, Azure [&hellip;]<\/p>\n","protected":false},"author":88168,"featured_media":6627,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[14,667],"tags":[499],"class_list":["post-6384","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-core-sql-api","category-security","tag-azure-cosmos-db"],"acf":[],"blog_post_summary":"<p>Encryption options for data at rest on Azure Cosmos DB that is available today. Azure Cosmos DB strives to provide the best-in-class security features. Encryption of data at rest is one such important security feature. Encryption of data at rest using Microsoft&#8217;s service-managed keys is enabled by default. In addition to this default encryption, Azure [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/6384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/users\/88168"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/comments?post=6384"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/6384\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media\/6627"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media?parent=6384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/categories?post=6384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/tags?post=6384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}