Automatic CMK Key Version Updates for PostgreSQL Flex – GA

The Azure Database for PostgreSQL flexible server team is excited to announce General Availability of the “Automatic CMK key version update” (known as “version-less keys” during the preview). This change simplifies the key lifecycle management by allowing PostgreSQL to automatically adopt new keys without needing manual updates. This is especially beneficial when combined with Azure Key Vault's auto-rotation feature. This post shows your choices and their benefits. It also contains a general overview of encryption key strategies you can use.

How to use Automatic CMK Key Version Updates

Previously when configuring CMK in PostgreSQL, you specified the entire key URI , for example “https://myKeyVault.vault.azure.net/keys/myKey/1234567890abcdef”. The last part is the version GUID. Whenever you manually rotate the key or AKV auto-rotates the key based on its rotation policy, you had to update the CMK property on your PostgreSQL instance. This approach proved to be error-prone work for the operators or required a custom script to handle the rotation.

To enable automatic CMK key version updates, use a version-less key URI. This eliminates the need to update the CMK’s version property in your PostgreSQL instance after a key rotation (see https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-data-encryption#special-considerations). PostgreSQL will automatically pick up the new key version and reencrypt the data encryption key. This is a huge simplification in your key lifecycle management, especially when combined with AKV auto-rotation.

To implement using ARM, Bicep, Terraform, Azure PowerShell or Azure CLI, simply omit the version GUID from your key URI (see https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-data-encryption?tabs=portal-system-managed-server-provisioning%2Ccli-customer-managed-server-provisioning%2Cportal-customer-managed-server-existing#configure-data-encryption-with-customer-managed-key-during-server-provisioning).

In the Portal select the checkbox to guide the UI to suppress version GUIDs during interactive selection and when validating the URI (see https://learn.microsoft.coms/azure/postgresql/flexible-server/how-to-data-encryption?tabs=portal-system-managed-server-provisioning%2Ccli-customer-managed-server-provisioning%2Cportal-customer-managed-server-existing#configure-data-encryption-with-customer-managed-key-during-server-provisioning).

About Encryption and Key Management Choices

In Azure Database for PostgreSQL flexible server, there are three possibilities for managing encryption keys:

1. Service Managed Keys (SMK): With SMK, Microsoft takes care of key management. This means that the encryption keys are managed by Microsoft, providing a hassle-free and secure solution for our customers who prefer not to handle key management themselves.
2. Customer Managed Keys (CMK): CMK allows you to manage the lifecycle of your encryption keys. Keys are generated and stored in Azure Key Vault or Azure Key Vault Managed HSM (jointly referred to as AKV in this post). They cannot be exported. Azure Database for PostgreSQL uses the wrap and unwrap function in KV to protect the data encryption key with the CMK. This allows you to manually rotate keys, use KV’s auto-rotation feature (https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation), revoke the key (effectively disabling the server) and control key expiry.
3. Bring Your Own Key (BYOK): BYOK is a special case of CMK; instead of generating the keys in AKV, you import a key generated elsewhere into AKV, for example from your on-prem HSM (https://learn.microsoft.com/azure/key-vault/keys/hsm-protected-keys). Rotation is managed by importing fresh key into the same key as a new version. As with AKV-generated keys, you control revocation and the expiry date.

Conclusion

The introduction of automatic CMK key version updates in PostgreSQL has the following advantages:

• Simplified Key Management: By eliminating the need to update the key version, PostgreSQL users can streamline their key management processes, reducing complexity and potential errors.
• Enhanced Security: Avoiding the requirement to update the key version manually, minimize the risk of outdated or compromised keys being used, ensuring that the latest key version is always in use.