Edit

Share via

Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM

  • Article

The following services support server-side encryption with customer managed keys in Azure Key Vault and Azure Managed HSM. For implementation details, see the service-specific documentation or the service's Microsoft Cloud Security Benchmark: security baseline (section DP-5).

AI and machine learning

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure AI Search Yes Configure customer-managed keys for data encryption in Azure AI Search
Azure AI services Yes Yes Customer-managed keys for encryption
Azure AI Studio Yes Encryption of data at rest in Azure AI services
Azure Bot Service Yes Encryption of bot data in Azure Bot Service
Azure Health Bot Yes Configure customer-managed keys (CMK) for Azure Health Bot
Azure Machine Learning Yes Customer-managed keys for workspace encryption in Azure Machine Learning
Azure OpenAI Yes Yes Azure OpenAI Service encryption of data at rest
Content Moderator Yes Yes Content Moderator encryption of data at rest
Dataverse Yes Yes Customer-managed keys in Dataverse
Dynamics 365 Yes Yes Customer-managed keys for encryption
Face Yes Yes Face service encryption of data at rest
Language Understanding Yes Yes Customer-managed keys with Azure Key Vault
Personalizer Yes Yes Encryption of data at rest in Personalizer
Power Platform Yes Yes Customer-managed keys in Power Platform
QnA Maker Yes Yes QnA Maker encryption of data at rest
Speech Services Yes Yes Speech service encryption of data at rest
Translator Text Yes Yes Translator encryption of data at rest

Analytics

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Data Explorer Yes Configure customer-managed keys (CMK) in Azure Data Explorer
Azure Data Factory Yes Yes Encryption with customer-managed keys for Azure Data Factory
Azure Data Lake Store Yes (RSA 2048-bit)
Azure Data Manager for Energy Yes Manage data security and encryption
Azure Databricks Yes Yes Customer-managed keys for managed services
Azure HDInsight Yes Azure HDInsight double encryption for data at rest
Azure Monitor Application Insights Yes Customer-managed keys in Azure Monitor
Azure Monitor Log Analytics Yes Yes Customer-managed keys in Azure Monitor
Azure Stream Analytics Yes* Yes Data protection in Azure Stream Analytics
Azure Synapse Analytics Yes (RSA 3072-bit) Yes Configure encryption at rest with customer-managed keys
Microsoft Fabric Yes Customer-managed key (CMK) encryption and Microsoft Fabric
Power BI Embedded Yes Using your own key for Power BI encryption (Preview)

Containers

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Kubernetes Service Yes Yes Enable host encryption on your AKS cluster nodes
Azure Red Hat OpenShift Yes Bring your own keys (BYOK) with Azure Red Hat OpenShift
Container Instances Yes Encrypt data with a customer-managed key
Container Registry Yes Encrypt container images with a customer-managed key

Compute

Product, Feature, or Service Key Vault Managed HSM Documentation
App Service Yes* Yes Configure customer-managed keys for App Service
Azure Functions Yes* Yes Configure customer-managed keys for Azure Functions
Azure HPC Cache Yes Use customer-managed keys with HPC Cache
Azure Managed Applications Yes* Yes Azure managed applications overview
Azure portal Yes* Yes Security in the Azure portal
Azure VMware Solution Yes Yes Configure customer-managed keys in Azure VMware Solution
Batch Yes Use customer-managed keys with Batch accounts
SAP HANA Yes
Site Recovery Yes Enable replication with customer-managed keys
Virtual Machine Scale Set Yes Yes Encrypt virtual machine scale sets using the portal
Virtual Machines Yes Yes Azure Disk Encryption for Windows and Linux VMs

Databases

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Cosmos DB Yes Yes Configure customer-managed keys using Azure Key Vault, Configure customer-managed keys using Azure Key Vault Managed HSM
Azure Database for MySQL - Flexible Server Yes Data encryption with customer-managed keys in Azure Database for MySQL - Flexible Server
Azure Database for MySQL - Single Server Yes Azure Database for MySQL data encryption with a customer-managed key
Azure Database for PostgreSQL - Flexible Server Yes Data encryption with customer-managed keys in Azure Database for PostgreSQL - Flexible Server
Azure Database for PostgreSQL - Single Server Yes Yes Data encryption with customer-managed keys in Azure Database for PostgreSQL - Single Server
Azure Managed Instance for Apache Cassandra Yes Configure customer-managed keys for encryption
Azure SQL Database Yes (RSA 3072-bit) Yes Bring your own key (BYOK) support for Transparent Data Encryption (TDE)
Azure SQL Managed Instance Yes (RSA 3072-bit) Yes Bring your own key (BYOK) support for Transparent Data Encryption (TDE)
SQL Server on Azure VM Yes Configure Azure Key Vault integration for SQL Server on Azure VMs
SQL Server on Virtual Machines Yes Transparent data encryption for SQL Server on Azure VM
SQL Server Stretch Database Yes (RSA 3072-bit)
Table Storage Yes Customer-managed keys for Azure Storage encryption

Hybrid + multicloud

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Stack Edge Yes Protect data at rest on Azure Stack Edge Pro R

Integration

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Health Data Services Yes Configure customer-managed keys for Azure Health Data Services DICOM, Configure customer-managed keys for Azure Health Data Services FHIR
Event Hubs Yes Configure customer-managed keys for encryption
Logic Apps Yes
Service Bus Yes Configure customer-managed keys for encryption

IoT services

Product, Feature, or Service Key Vault Managed HSM Documentation
Device Update for IoT Hub Yes Yes Data encryption for Device Update for IoT Hub
IoT Hub Device Provisioning Yes

Management and governance

Product, Feature, or Service Key Vault Managed HSM Documentation
App Configuration Yes Use customer-managed keys to encrypt data
Automation Yes Encryption of automation assets
Azure Migrate Yes Tutorial: Migrate VMware VMs to Azure
Azure Monitor Yes Customer-managed keys in Azure Monitor

Media

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Communication Services Yes Data encryption in Azure Communication Services
Media Services Yes Use your own encryption keys with Azure Media Services

Security

Product, Feature, or Service Key Vault Managed HSM Documentation
Azure Information Protection Yes How are the Azure Rights Management cryptographic keys managed and secured?
Microsoft Defender for Cloud Yes Customer-managed keys in Azure Monitor
Microsoft Defender for IoT Yes
Microsoft Sentinel Yes Yes Encryption at rest in Microsoft Sentinel

Storage

Product, Feature, or Service Key Vault Managed HSM Documentation
Archive Storage Yes Customer-managed keys for Azure Storage encryption
Azure Backup Yes Yes Encrypt backup data using customer-managed keys
Azure Cache for Redis Yes** Yes Configure disk encryption for Azure Cache for Redis instances using customer managed keys
Azure Data Box Yes Use a customer-managed key to secure your Data Box
Azure Managed Lustre Yes Use customer-managed encryption keys with Azure Managed Lustre
Azure NetApp Files Yes Yes Configure customer-managed keys for Azure NetApp Files volume encryption
Blob Storage Yes Yes Customer-managed keys for Azure Storage encryption
Data Lake Storage Gen2 Yes Yes Customer-managed keys for Azure Storage encryption
Disk Storage Yes Yes Azure Disk Encryption for Windows and Linux VMs
File Storage Yes Yes Customer-managed keys for Azure Storage encryption
File Sync Yes Yes Customer-managed keys for Azure Storage encryption
Managed Disk Storage Yes Yes Azure Disk Encryption for Windows and Linux VMs
Premium Blob Storage Yes Yes Customer-managed keys for Azure Storage encryption
Queue Storage Yes Yes Customer-managed keys for Azure Storage encryption
StorSimple Yes Azure StorSimple security features
Ultra Disk Storage Yes Yes Azure Disk Encryption for Windows and Linux VMs

Other

Product, Feature, or Service Key Vault Managed HSM Documentation
Universal Print Yes Data encryption in Universal Print

Caveats

* This service supports storing data in your own Key Vault, Storage Account, or other data persisting service that already supports Server-Side Encryption with Customer-Managed Key.

** Any transient data stored temporarily on disk such as pagefiles or swap files are encrypted with a Microsoft key (all tiers) or a customer-managed key (using the Enterprise and Enterprise Flash tiers). For more information, see Configure disk encryption in Azure Cache for Redis.

Related content