One of the biggest security and compliance requirements for enterprise customers is to encrypt their data at rest using their own encryption key. This is even more critical in a post-GDPR world. In that spirit, we’re happy to announce general availability of encryption using customer managed key (BYOK) for data at rest in Azure Service Bus.
The message payload data in Azure Service Bus has always been encrypted - whether in transit using TLS or at rest, using a service managed key. However, for some customers it is vital that they own and manage the keys used to encrypt the data at rest. In the past, customers have achieved this by encrypting all messages in their sender applications and decrypting them in their receiver applications. This process is cumbersome and involves custom logic.
With the extension to encrypt the data using customer managed key, the service provides a simplified experience while giving the customer better control on how the data is stored and what applications/users have access to it.
To enable encryption at rest with customer managed key, customers should use a managed service identity to setup an access policy on Azure KeyVault that contains the keys. Customers must also enable Soft-delete and purge protection for customer managed keys that help protect them against ransomware scenarios and accidental deletion. The entire setup is transparent to the client applications and no code or configuration changes are needed to send or receive messages from a BYOK enabled Service Bus namespace.
With customer managed key encryption on Azure Service Bus, enterprise customers can now be more confident than ever in the security of their data. This feature unlocks cloud native enterprise messaging for customers for whom BYOK is a prerequisite for data at rest. There feature is available at no extra charge.
To get started with encryption at rest using a customer managed key, please review the below documentation -