Azure Database for PostgreSQL released the public preview for versionless Customer Managed Keys (CMK). This post shows your choices and their benefits

Encryption and Key Management Choices

In Azure Database for PostgreSQL flexible server, there are three possibilities for managing encryption keys:

1. Service Managed Keys (SMK): With SMK, Microsoft takes care of key management. This means that the encryption keys are managed by Microsoft, providing a hassle-free and secure solution for our customers who prefer not to handle key management themselves.
2. Customer Managed Keys (CMK): CMK allows you to manage the lifecycle of your encryption keys. Keys are generated and stored in Azure Key Vault or Azure Key Vault Managed HSM (jointly referred to as AKV in this post). They cannot be exported. Azure Database for PostgreSQL uses the wrap and unwrap function in KV to protect the data encryption key with the CMK. This allows you to manually rotate keys, use KV’s auto-rotation feature (https://learn.microsoft.com/azure/key-vault/keys/how-to-configure-key-rotation), revoke the key (effectively disabling the server) and control key expiry.
3. Bring Your Own Key (BYOK): BYOK is a special case of CMK; instead of generating the keys in AKV, you import a key generated elsewhere into AKV, for example from your on-prem HSM (https://learn.microsoft.com/azure/key-vault/keys/hsm-protected-keys). Rotation is managed by importing fresh key into the same key as a new version. As with AKV-generated keys, you control revocation and the expiry date.

Versionless Keys in CMK for PostgreSQL (Preview)

Previously when configuring CMK in PostgreSQL, you specified the entire key URI , for example “https://myKeyVault.vault.azure.net/keys/myKey/1234567890abcdef”. The last part is the version GUID. Whenever you manually rotate the key or AKV auto-rotates the key based on its rotation policy, you had to update the CMK property on your PostgreSQL instance. This approach proved to be error-prone work for the operators or required a custom script to handle the rotation.

Versionless CMK keys (currently in Public Preview) eliminate the need to update the CMK’s version property in your PostgreSQL instance (see https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-data-encryption#special-considerations). PostgreSQL will automatically pick up the new key and reencrypt the data encryption key. This is a huge simplification in your key lifecycle management, especially when combined with AKV auto-rotation. Note: this feature is sometimes referred to as auto-rotation.

To implement using ARM, Bicep, Terraform, Azure PowerShell or Azure CLI, simply omit the version GUID from your key URI (see https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-data-encryption?tabs=portal-system-managed-server-provisioning%2Ccli-customer-managed-server-provisioning%2Cportal-customer-managed-server-existing#configure-data-encryption-with-customer-managed-key-during-server-provisioning).

In the Portal select the checkbox to guide the UI to suppress version GUIDs during interactive selection and when validating the URI (see https://learn.microsoft.coms/azure/postgresql/flexible-server/how-to-data-encryption?tabs=portal-system-managed-server-provisioning%2Ccli-customer-managed-server-provisioning%2Cportal-customer-managed-server-existing#configure-data-encryption-with-customer-managed-key-during-server-provisioning).

Conclusion

The introduction of versionless CMK for storage in PostgreSQL has the following advantages:

• Simplified Key Management: By eliminating the need to update the key version, PostgreSQL users can streamline their key management processes, reducing complexity and potential errors.
• Enhanced Security: versionless keys minimize the risk of outdated or compromised keys being used, ensuring that the latest key is always in use.