Blog Post

Azure Database for MySQL Blog
2 MIN READ

Managed HSM support for Azure Database for MySQL – Flexible Server (General Availability)

talawren's avatar
talawren
Icon for Microsoft rankMicrosoft
Aug 06, 2024

We're happy to announce general availability of Azure Key Vault Managed HSM support for customer managed keys (CMK) in Azure Database for MySQL – Flexible Server!  

 

What is Managed HSM? 

 

Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. It ensures your data is stored and processed only within the region that hosts the HSM, ensuring data residency. Each Managed HSM instance is dedicated to a single customer and consists of a cluster of HSM partitions. All cryptographic operations, such as encryption, decryption, and validation, are performed inside the HSM.

 

Benefits of Managed HSM support for Azure Database for MySQL – Flexible Server 

 

The Managed HSM feature allows you to use your own HSM-backed encryption keys to protect your data at rest in MySQL – Flexible Server instances. You can generate HSM-backed keys and import the encryption keys from a physical on-premises HSM using CMK’s bring your own key (BYOK) feature while maintaining full control over the keys. 

 

Configuring Managed HSM for Azure Database for MySQL – Flexible Server

 

You can easily configure an Azure Key Vault Managed HSM for new or existing Azure Database for MySQL flexible servers by using the Azure CLI or the Azure Portal, as shown in the following screenshot: 

 

 

When configuring Managed HSM, note that you must: 

  • Deploy the Managed HSM in the same region as the MySQL flexible server. 
  • Enable soft delete and purge protection. 
  • Assign the User-assigned Managed Identity (UMI) the "Managed HSM Crypto Service Encryption User" role in RBAC.

 

Learn more 

 

For more details about this feature, please see the article Data encryption with customer managed keys - Azure Database for MySQL - Flexible Server. 

 

If you have any queries or suggestions, please let us know by leaving a comment below or by contacting directly us at AskAzureDBforMySQL@service.microsoft.com. 

Updated Aug 06, 2024
Version 1.0
azure
Azure Database for MySQL - Flexible Server
Azure Key Vault
customer managed key
database
flexible server
No CommentsBe the first to comment