Azure Storage encrypts all data in the storage account at REST and by default, data is encrypted with Microsoft-managed keys. CMK provides more customer control over key management and requires Key Vault for managing the keys. This new capability is also a critical piece in the JEDI cloud contract with the Department of Defense.
To enable Customer Managed Keys
- Create an Azure Data Explorer cluster with system assigned identity using C# or an ARM template (Azure Portal support coming soon).
- Add the cluster to the access policy of the Key Vault that contains your keys.
- Configure your Azure Data Explorer cluster with the Key Vault properties.
You are good to go!
If you delete or disable the key or delete the Key Vault, your cluster will block (within 1 hour) all access to the data and the cluster will be stopped.
For more information, read the following documents:
- Configure managed identities for Azure Data Explorer cluster.
- Configure customer-managed-keys using C#
- Configure customer-managed-keys using the Azure Resource Manager template
Azure Data Explorer team
Published Jan 21, 2020
Version 1.0
gabil
Microsoft
Microsoft