Customer-managed keys (CMK) for Microsoft Foundry

Microsoft Foundry provides robust encryption capabilities, including the ability to use customer-managed keys (CMKs) stored in Azure Key Vault to secure your sensitive data. This article explains the concept of encryption with CMKs and provides step-by-step guidance for configuring CMK using Azure Key Vault. It also discusses encryption models and access control methods like Azure Role-Based Access Control (RBAC) and Vault Access Policies, ensuring compatibility with system-assigned managed identities. Support for user-assigned managed identities (UAI) is currently available only via Bicep templates.

Why use customer-managed keys?

With CMK, you gain full control over encryption keys, providing enhanced protection for sensitive data and helping meet compliance requirements. The key benefits of using CMKs include:

• Using your own keys to encrypt data at rest.

• Integration with organizational security and compliance policies.

• The ability to rotate or revoke keys for enhanced control over access to encrypted data.

Microsoft Foundry supports encryption with your CMKs stored in Azure Key Vault, leveraging industry-leading security features.

Prerequisites

To configure CMK for Microsoft Foundry, ensure the following prerequisites are met:

1. Azure Subscription:
   You need an active Azure subscription to create and manage Azure resources.

2. Azure Key Vault:

   • You need an existing Azure Key Vault to store your keys.
   • You must deploy the Key Vault and the Microsoft Foundry resource in the same Azure region.
   • Follow this guide to create a Key Vault: Quickstart: Create a Key Vault using Azure portal.

3. Managed Identity Configuration:

   • System-assigned managed identity: Ensure your Microsoft Foundry resource has enabled a system-assigned managed identity.
   • User-assigned managed identity: Support for UAI is currently available only via Bicep templates. Refer to the Bicep template example: GitHub Repository: Customer-Managed Keys with User-Assigned Identity.

4. Key Vault Permissions:

   • If you're using Azure RBAC, assign Key Vault Crypto User role to the managed identity.
   • If you're using Vault Access Policies, grant key-specific permissions to the managed identity, such as unwrap key and wrap key.

Regional availability note (UAI for CMK)

Support for Customer-Managed Keys (CMK) with User-Assigned Managed Identities (UAI) is currently available in all Azure regions except for the following regions:

• United States:
  westus, centralus, southcentralus, westus2
• Europe:
  westeurope, ukwest, switzerlandwest, germanywestcentral, francecentral, denmarkeast, polandcentral, swedencentral, norwayeast
• Asia-Pacific:
  taiwannorthwest, australasia (australiaeast, newzealandnorth), southeastasia, japaneast, koreacentral, indonesiacentral, malaysiawest, centralindia
• Middle East:
  israelcentral, qatarcentral
• Africa:
  southafricanorth
• Canada:
  canadaeast
• Latin America:
  mexicocentral
• Azure China:
  China East, China East 2, China North, China North 2

Before configuring CMK with UAI, make sure you deploy your resources in a supported region. Refer to Microsoft Foundry feature availability across cloud regions for more details on regional support for Microsoft Foundry features.

Steps to Configure CMK

Step 1. Create or Import a Key in Azure Key Vault

You store Customer-Managed Keys (CMKs) in Azure Key Vault. You can either generate a new key within the Key Vault or import an existing key. Follow the steps in the following sections:

Generate a Key

1. Go to your Azure Key Vault in the Azure portal.

2. Under Settings, select Keys.

3. Select + Generate/Import.

4. Enter a key name, choose the key type (such as RSA or HSM-backed), and configure key size and expiration details.

5. Select Create to save the new key.

   For more information, see Create and Manage Keys in Azure Key Vault.

Import a Key

1. Go to the Keys section in your Key Vault.
2. Select + Generate/Import and choose the Import option.
3. Upload the key material and provide the necessary key configuration details.
4. Follow the prompts to complete the import process.

Step 2. Grant Key Vault permissions to managed identities

Configure appropriate permissions for the system-assigned or user-assigned managed identity to access the Key Vault.

System-assigned managed identity

1. Go to the Key Vault in the Azure portal.
2. Select Access Control (IAM).
3. Select + Add role assignment.
4. Assign the Key Vault Crypto User role to the system-assigned managed identity of the Microsoft Foundry resource.

User-assigned managed identity

1. Use the provided Bicep templates to deploy a user-assigned identity and configure Key Vault permissions.

2. After deployment, confirm the user-assigned identity has appropriate roles (such as Key Vault Crypto Officer) or permissions on the Key Vault.

Step 3. Enable CMK in Microsoft Foundry

1. Open the Microsoft Foundry resource in the Azure portal.
2. Go to the Encryption Settings section.
3. Select Customer-Managed Keys as the encryption type.
4. Enter the Key Vault URL and the key name.
5. If you use User-Assigned Managed Identity, make sure the deployment through Bicep templates is complete, as the identity and associated permissions are already configured.

Key Vault Access Design: Azure RBAC vs. Vault Access Policies

Azure Key Vault supports two models for managing access permissions:

1. Azure RBAC (Recommended):
   • Provides centralized access control using Azure AD roles.
   • Simplifies permission management for resources across Azure.
   • Use Key Vault Crypto User role.
2. Vault Access Policies:
   • Allows granular access control specific to Key Vault resources.
   • Suitable for configurations where legacy or isolated permission settings are necessary.

Choose the model that aligns with your organizational requirements.

Monitoring and Rotating Keys

To maintain optimal security and compliance, implement the following practices:

1. Enable Key Vault Diagnostics:
   Monitor key usage and access activity by enabling diagnostic logging in Azure Monitor or Log Analytics.
2. Rotate Keys Regularly:
   Periodically create a new version of your key in Azure Key Vault.
   Update the Microsoft Foundry resource to reference the latest key version in its Encryption Settings.

Related content

• Azure Key Vault Documentation
• GitHub Bicep Example: Customer-Managed Keys with UAI
• Azure Managed Identities Overview