Best practices for using customer-managed keys for the FHIR service

Customer-managed keys (CMK) are encryption keys that you create and manage in your own key store. By using CMK, you have more flexibility and control over the encryption and access of your organization’s data. You use Azure Key Vault to create and manage CMK, and then use the keys to encrypt the data stored by the FHIR® service.

Rotate keys often

Follow security best practices and rotate keys often. Keys used with the FHIR service must be rotated manually. When you rotate a key, update the version of the existing key or set a new encryption key from a different storage location. Always make sure to keep existing keys enabled when adding new keys because they're still needed to access the data that was encrypted with them.

To rotate the key by generating a new version of the key, use the 'az keyvault key rotate' command. For more information, see Azure key vault rotate command

Update the FHIR service after changing a managed identity

If you change the managed identity in any way, such as moving your FHIR service to a different tenant or subscription, the FHIR service isn't able to access your keys. You must update the service manually with an ARM template deployment. For steps, see Use an ARM template to update the encryption key.

Disable public access with a firewall

When using a key vault with a firewall to disable public access, the option to Allow trusted Microsoft services to bypass this firewall must be enabled.

Next steps

Configure customer-managed keys for the FHIR service

Note

FHIR® is a registered trademark of HL7 and is used with the permission of HL7.