Some customers, especially Financial and other regulated organizations want to enable double encryption, on top of the default system-managed keys from Microsoft. This blog provides complete details on how to enable customer-managed keys for Azure OpenAI.
Note:
Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
To enable customer-managed keys, you must also enable both the Soft Delete and Do Not Purge properties on the key vault.
Step1: Submit the request
First you need to fill out and submit the Cognitive Services Customer-Managed Key Request Form. It will take approximately 3-5 business days to hear back on the status of your request.
Step2: Wait for email approval
Here is an example of the email you would receive once the request is approved in 3-5 business days:
Step3: Before configuring customer-managed keys (CMK)
Here is how your panel would look like before the CMK is configured (Encryption option will be missing, see Step 3 and Step4)
Step4: After you get the CMK approval email, you need to log out and log back into Azure portal:
And now you will be able to see the Encryption option in the panel (as shown below)
Step5: Now on the Encryption option, select Customer Managed Keys -> Select from Key Vault (as shown below)
And then click on Select a Key Vault and Key for encryption
Step6: In this section, click on Create new Key Vault
Note: Subscription name greyed out on purpose
Step7: Create a Key Vault as shown below. After entering all detail, click Next
Note: Subscription name and Key Vault name greyed out on purpose
Ensure that the soft-delete and the purge protection are enabled (as shown below)
Step8: In the Access Policy tab, select Vault access policy and select the user and the required permissions (as shown below) and click Next
Step9: In the Networking tab, select All networks or configure for selected networks or create a private end point, depending on your company security requirements
Step10: In this section, review all the details and click on Review + create
Step11: Now go to the new Key Vault service that has been created
Note: Some sections greyed out on purpose
Step12: Now go back to your Azure OpenAI Encryption panel (Step6 above)
Now click on Create new key
Note: some sections greyed out on purpose
Step13: Pick the Generate option and others that you want and click Create (as shown below)
Note: some sections greyed out on purpose
Step14: Now it takes back to Step6 above, select the key and the version
Note: some sections greyed out on purpose
Step15: It takes back to Encryption and now pick the Current key and the Key version in use (from the ones created in the previous steps), then click on Save on the top (as shown below)
Note: Once you click Save, it takes anywhere between 10 minutes to 45 minutes for the key to be updated and saved. Please be patient and don't click again. Check in the Notifications section on the top right for the progress updates
Note: some sections greyed out below on purpose
Now, after completing all the above steps, your customer managed keys are ready and can be used in your application.
References: Azure OpenAI Service encryption of data at rest - Azure Cognitive Services | Microsoft Learn
Microsoft
