Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Customer-managed keys for Azure NetApp Files volume encryption enable you to use your own keys rather than the platform-managed (Microsoft-managed) key when creating a new volume. With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys.
Important
To configure customer-managed keys for the Flexible, Standard, Premium, or Ultra service level, see Configure customer-managed keys.
Considerations
- For increased security, select the Disable public access option within the network settings of your key vault. When selecting this option, you must also select Allow trusted Microsoft services to bypass this firewall to permit the Azure NetApp Files service to access your encryption key.
- Customer-managed keys support automatic Managed System Identity (MSI) certificate renewal. If your certificate is valid, you don't need to manually update it.
- Do not make any changes to the underlying Azure Key Vault or Azure Private Endpoint after creating a customer-managed keys volume. Making changes can make the volumes inaccessible. If you must make changes, see Update the private endpoint IP for customer-managed keys.
- If Azure Key Vault becomes inaccessible, Azure NetApp Files loses its access to the encryption keys and the ability to read or write data to volumes enabled with customer-managed keys. In this situation, create a support ticket to have access manually restored for the affected volumes.
- Azure NetApp Files supports customer-managed keys on source and data replication volumes with cross-region replication or cross-zone replication relationships.
- Applying Azure network security groups (NSG) on the private link subnet to Azure Key Vault is supported for Azure NetApp Files customer-managed keys. NSGs don’t affect connectivity to private links unless a private endpoint network policy is enabled on the subnet.
- Wrap/unwrap is not supported. Customer-managed keys uses encrypt/decrypt. For more information, see RSA algorithms.
Requirements
Before creating your first customer-managed key volume, you must set up:
A virtual network: The virtual network subnet need to be delegated to
Microsoft.Netapp/elasticVolumesAn Azure Key Vault, containing at least one key.
- The key vault must have soft delete and purge protection enabled.
- The key must be of type RSA.
The key vault must have an Azure Private Endpoint.
- The private endpoint must reside in a different subnet than the one delegated to Azure NetApp Files. The subnet must be in the same virtual network as the one delegated to Azure NetApp.
If you've configured your Azure Key Vault to use Azure role-based access control (RBAC), ensure the user-assigned identity you intend to use for encypriont has a role assignment on the key vault with permissions for actions:
Microsoft.KeyVault/vaults/keys/readMicrosoft.KeyVault/vaults/keys/encrypt/actionMicrosoft.KeyVault/vaults/keys/decrypt/actionTo learn about configuring an Azure Key Vault with RBAC, see Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
- If you've configured your Azure Key Vault to use a Vault access policy, the Azure portal configures the Elastic account automatically when you configure the customer-managed key.
For more information about Azure Key Vault and Azure Private Endpoint, see:
- Quickstart: Create a key vault
- Create or import a key into the vault
- Create a private endpoint
- More about keys and supported key types
- Manage network policies for private endpoints
Configure an Elastic NetApp account to use customer-managed keys
In your Elastic storage account, select Encryption.
For Encryption key source, select Customer Managed Key.
Provide the Encryption Key.
- If you have the URI, select Enter key URI then enter manually the Key URI and Subscription.
- To select the key from a list, choose Select key vault then Select a key vault and key. In the dropdown menus, select the Subscription, Key vault, and Key then Select to confirm your choices.
Choose the identity type for authentication with the Azure Key Vault.
If your Azure Key Vault is configured to use Vault access policy as its permission model, both options are available. Otherwise, only the user-assigned option is available.
- If you choose User-assigned, select an identity. Choose Select an identity to open a context pane. Select the appropriate user-assigned managed identity.
- If you choose System-assigned, skip to the next step. When you save your encryption settings, Azure configures the NetApp account automatically by adding a system-assigned identity to your NetApp account and creates an access policy on your Azure Key Vault with key permissions Get, Encrypt, Decrypt.
Select Save.
Next steps
After you configure encryption settings for your Elastic NetApp account, Create an Elastic zone-redundant capacity pool. Ensure you select Customer Managed for the encryption key source, then provide the configured Azure key vault in the key vault private endpoint.
After the capacity pool is created with customer-managed keys, volumes created in the capacity pool automatically inherit customer-managed key encryption settings.