Enabling Customer-managed keys for TRE resources
You can enable customer-managed keys (CMK) for supporting resources in Azure TRE.
Warning
Currently Azure TRE only supports CMK encryption for resources in the TRE core and Base Workspace. CMK encryption is not supported for the rest of the resources such as those deployed by a TRE workspace.
Caution
Currently, it is not possible to redeploy TRE with CMK enabled if it has previously been deployed without it. This is due to limitations of resources such as Azure Container Registry (ACR) that only allow enabling the CMK encryption at the time of resource creation.
When enabled, CMK encryption provides an additional layer of encryption control for supported Azure resources within the TRE by allowing you to manage and control the encryption keys used to protect your data.
To enable CMK encryption, set enable_cmk_encryption: true
in the developer settings section of your config.yaml
file.
For more information about CMKs, see Use customer-managed keys with Azure Storage encryption.
Key Vault configuration
The CMKs for Azure TRE can be stored in either a Key Vault deployed by TRE itself, or in an external Key Vault provided by the user.
To have TRE create and manage its own Key Vault for storing CMKs, specify the ENCRYPTION_KV_NAME
parameter in the config.yaml
file.
Alternatively, to use your own existing Key Vault, provide the EXTERNAL_KEY_STORE_ID
parameter pointing to your Key Vault resource ID.