We are excited to announce the public preview of data encryption at rest with Customer Managed Keys support for Azure Event Hubs. Azure Event Hubs provides encryption of data at rest and in transit. By default, Event Hubs uses Azure Storage Service Encryption using Microsoft-managed keys to encrypt the data. With Customer Managed keys support, customers now have the choice of encrypting the data with the keys managed by the customers.
Data encryption for Event Hubs with customer managed keys uses Azure Key Vault. Azure Key Vault uses hardware security models (HSMs) that are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. Access to a key vault requires proper authentication and authorization before you can get access. Authentication is done via Azure Active Directory and Authorization via role-based access control (RBAC).
To enable data encryption with customer managed keys, Event Hubs assumes that customer Azure Active Directory, Key Vault and customer key (used for encryption) are available.
The data encryption with customer managed keys are enabled only on namespaces in Dedicated Event Hubs clusters and are not available for Standard Event Hubs namespaces. Once the namespace is enabled with customer managed key encryption, there is no opting out of this.
Once the encryption is enabled, customers can rotate their key in Azure Key Vault, this may be for compliance policies or security reasons. When the key rotation happens, Event Hubs re-encrypts the customer managed key for the Event Hubs resources. This is automatically taken care by the service and does not result in re-encrypting the entire data and there is no action the customer would need to take.
Using customer-managed keys with Event Hubs requires Soft Delete and Do Not Purge properties enabled to help protect customers from ransomware scenarios.
Enabling this feature targets enterprise customers looking to protect sensitive data as part of their regulatory or compliance needs like the HIPAA, BAA compliance.
Note: Customer managed key for encryption with Event Hubs can be enabled only on Event Hubs namespaces, that are under a Dedicated Event Hubs cluster. Event Hubs cluster is Kafka enabled by default. Create a Dedicated cluster in the portal by following this link -
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.