We’re pleased to announce general availability of customer managed keys! By default, Azure Database for MySQL - Flexible Server encrypts data at rest. With customer-managed keys (CMKs), you can bring your own key (BYOK) for an extra layer of data encryption.
CMK is an asymmetric key that is stored in a customer-owned and managed Azure Key Vault instance. Data encryption key (DEK) is designed for use by the Azure Database for MySQL service to encrypt/decrypt data. The CMK, also known as the Key Encryption Key (KEK), is used to encrypt and decrypt the Data Encryption Key. So that's encryption within encryption!
To configure data encryption using CMK, all you need to do is to link the User-assigned Managed Identity (UMI) to the server and specify the Azure Key Vault and the key to use. Currently, Azure Database for MySQL - Flexible Server only supports using the UMI.
Benefits
- Full control of data access via the ability to remove the key and make the database inaccessible.
- Full control over the key lifecycle, including rotation of the key to aligning with corporate policies.
- Central management and organization of keys in Azure Key Vault
- The ability to implement separation of duties between security officers, DBA, and system administrators.
For more details on how to get started, watch the following demo video and/or refer the article Data encryption for Azure Database for MySQL - Flexible Server by using the Azure portal.
Try out this feature today and let us know that you think at AskAzureDBforMySQL@service.microsoft.com. Thank you!
