This article provides step-by-step instructions to configure data encryption for an Azure Database for PostgreSQL flexible server.
Important
The only point at which you can decide if you want to use a system managed key or a customer managed key for data encryption, is at server creation. Once you make that decision and create the server, you can't switch between the two options.
In this article, you learn how to create a new server and configure its data encryption options. For existing servers, whose data encryption is configured to use customer managed encryption key, you learn:
To learn about data encryption in the context of Azure Database for PostgreSQL flexible server, see the data encryption.
Configure data encryption with system managed key during server provisioningUsing the Azure portal:
During provisioning of a new Azure Database for PostgreSQL flexible Server, data encryption is configured in the Security tab. For Data encryption key, select the Service-managed key radio button.
If you enable geo-redundant backup storage to be provisioned together with the server, the aspect of the Security tab changes slightly because the server uses two separate encryption keys. One for the primary region in which you're deploying your server, and one for the paired region to which the server backups are asynchronously replicated.
You can enable data encryption with system assigned encryption key, while provisioning a new server, via the az postgres flexible-server create command.
az postgres flexible-server create \
--resource-group <resource_group> \
--name <server> ...
Note
There's no special parameter in the previous command to specify that the server must be created with system assigned key for data encryption. The reason being that data encryption with system assigned key is the default option. Also, notice that you must complete the command provided with other parameters whose presence and values would vary depending on how you want to configure other features of the provisioned server.
Configure data encryption with customer managed key during server provisioningUsing the Azure portal:
Note
Although it isn't required, to maintain regional resiliency, we recommend that you create the user managed identity in the same region as your server. And if your server has geo-backup redundancy enabled, we recommend that the second user managed identity, used to access the data encryption key for geo-redundant backups, is created in the paired region of the server.
Note
The key store used to keep the data encryption key must be deployed in the same region as your server. And if your server has geo-backup redundancy enabled, the key store that keeps the data encryption key for geo-redundant backups must be created in the paired region of the server.
Create one key in your key store. If your server has geo-redundant backups enabled, you need one key on each of the key stores. With one of these keys, we encrypt all your server's data (including all system and user databases, temporary files, server logs, write-ahead log segments, and backups). With the second key, we encrypt the copies of the backups which are asynchronously copied over the paired region of your server.
During provisioning of a new Azure Database for PostgreSQL flexible Server, data encryption is configured in the Security tab. For Data encryption key, select the Customer-managed key radio button.
If you enable geo-redundant backup storage to be provisioned together with the server, the aspect of the Security tab changes slightly because the server uses two separate encryption keys. One for the primary region in which you're deploying your server, and one for the paired region to which the server backups are asynchronously replicated.
In User assigned managed identity, select Change identity.
Among the list of user assigned managed identities, select the one you want your server to use to access the data encryption key stored in an Azure Key Vault.
Select Add.
Select Use automatic key version update, if you prefer to let the service automatically update the reference to the most current version of the chosen key, whenever the current version is rotated manually or automatically. To understand the benefits of using automatic key version updates, see automatic key version update.
Select Select a key.
Subscription is automatically populated with the name of the subscription on which your server is about to be created. The key store that keeps the data encryption key must exist in the same subscription as the server.
In Key store type, select the radio button corresponding to the type of key store in which you plan to store the data encryption key. In this example, we choose Key vault, but the experience is similar if you choose Managed HSM.
Expand Key vault (or Managed HSM, if you selected that storage type), and select the instance where the data encryption key exists.
Note
When you expand the dropdown box, it shows No available items. It takes a few seconds until it lists all the instances of key vault which are deployed in the same region as the server.
Expand Key, and select the name of the key that you want to use for data encryption.
If you didn't select Use automatic key version update, you must also select a specific version of the key. To do that, expand Version, and select the identifier of the version of the key that you want to use for data encryption.
Select Select.
Configure all other settings of the new server and select Review + create.
You can enable data encryption with user assigned encryption key, while provisioning a new server, via the az postgres flexible-server create command.
If your server doesn't have geo-redundant backups enabled:
az postgres flexible-server create \
--resource-group <resource_group> \
--name <server> \
--geo-redundant-backup Disabled \
--identity <managed_identity_to_access_primary_encryption_key> \
--key <resource_identifier_of_primary_encryption_key> ...
Note
The previous command needs to be completed with other parameters whose presence and values would vary depending on how you want to configure other features of the provisioned server.
If your server has geo-redundant backups enabled:
az postgres flexible-server create \
--resource-group <resource_group> \
--name <server> \
--geo-redundant-backup Enabled \
--identity <managed_identity_to_access_primary_encryption_key> \
--key <resource_identifier_of_primary_encryption_key> \
--backup-identity <managed_identity_to_access_geo_backups_encryption_key> \
--backup-key <resource_identifier_of_geo_backups_encryption_key> ...
Note
The previous command needs to be completed with other parameters whose presence and values would vary depending on how you want to configure other features of the provisioned server.
Configure data encryption with customer managed key on existing serversThe only point at which you can decide if you want to use a system managed key or a customer managed key for data encryption, is at server creation. Once you make that decision and create the server, you can't switch between the two options. The only alternative, if you want to change from one to the other, requires restoring any of the backups available of server onto a new server. While configuring the restore, you're allowed to change the data encryption configuration of the new server.
For existing servers that were deployed with data encryption using a customer managed key, you're allowed to do several configuration changes. Things that can be changed are the references to the keys used for encryption, and references to the user assigned managed identities used by the service to access the keys kept in the key stores.
You must update references that your Azure Database for PostgreSQL flexible server has to a key:
You must update the user assigned managed identities which are used by your Azure Database for PostgreSQL flexible server to access the encryption keys whenever you want to use a different identity.
Using the Azure portal:
Select your Azure Database for PostgreSQL flexible server.
In the resource menu, under Security, select Data encryption.
To change the user assigned managed identity with which the server accesses the key store in which the key is kept, expand the User assigned managed identity dropdown, and select any of the identities available.
Note
Identities shown in the combo-box are only the ones that your Azure Database for PostgreSQL flexible server was assigned. Although it isn't required, to maintain regional resiliency, we recommend that you select user managed identities in the same region as your server. And if your server has geo-backup redundancy enabled, we recommend that the second user managed identity, used to access the data encryption key for geo-redundant backups, exists in the paired region of the server.
If the user assigned managed identity that you want to use to access the data encryption key isn't assigned to your Azure Database for PostgreSQL flexible server, and it doesn't even exist as an Azure resource with its corresponding object in Microsoft Entra ID, you can create it by selecting Create.
In the Create User Assigned Managed Identity panel, complete the details of the user assigned managed identity that you want to create, and automatically assign to your Azure Database for PostgreSQL flexible server to access the data encryption key.
If the user assigned managed identity that you want to use to access the data encryption key isn't assigned to your Azure Database for PostgreSQL flexible server, but it does exist as an Azure resource with its corresponding object in Microsoft Entra ID, you can assign it by selecting Select.
Among the list of user assigned managed identities, select the one you want your server to use to access the data encryption key stored in an Azure Key Vault.
Select Add.
Select Use automatic key version update, if you prefer to let the service automatically update the reference to the most current version of the chosen key, whenever the current version is rotated manually or automatically. To understand the benefits of using automatic key version updates, see [automatic key version update](concepts-data-encryption.md##CMK key version updates).
If you rotate the key and don't have Use automatic key version update enabled. Or if you want to use a different key, you must update your Azure Database for PostgreSQL flexible server, so that it points to the new key version or new key. To do that, you can copy the resource identifier of the key, and paste it in the Key identifier box.
If the user accessing Azure portal has permissions to access the key stored in the key store, you can use an alternative approach to choose the new key or new key version. To do that, in Key selection method, select the Select a key radio button.
Select Select key.
Subscription is automatically populated with the name of the subscription on which your server is about to be created. The key store that keeps the data encryption key must exist in the same subscription as the server.
In Key store type, select the radio button corresponding to the type of key store in which you plan to store the data encryption key. In this example, we choose Key vault, but the experience is similar if you choose Managed HSM.
Expand Key vault (or Managed HSM, if you selected that storage type), and select the instance where the data encryption key exists.
Note
When you expand the dropdown box, it shows No available items. It takes a few seconds until it lists all the instances of key vault which are deployed in the same region as the server.
Expand Key, and select the name of the key that you want to use for data encryption.
If you didn't select Use automatic key version update, you must also select a specific version of the key. To do that, expand Version, and select the identifier of the version of the key that you want to use for data encryption.
Select Select.
Once satisfied with the changes made, select Save.
You can configure data encryption with user assigned encryption key, for an existing server, via the az postgres flexible-server update command.
az postgres flexible-server update \
--resource-group <resource_group> \
--name <server> \
--identity <managed_identity_to_access_primary_encryption_key> \
--key <resource_identifier_of_primary_encryption_key> ...
Note
The previous command might need to be completed with other parameters whose presence and values would vary depending on how you want to configure other features of the existing server.
Whether you want to only change the user assigned managed identity used to access the key, or you want to only change the key used for data encryption, or you want to change both at the same time, you're required to provide both parameters --identity and --key (or --backup-identity and --backup-key for geo-redundant backups). If you provide either one but not both, you get any of the following errors:
User assigned identity and keyvault key need to be provided together. Please provide --identity and --key together.
User assigned identity and keyvault key need to be provided together. Please provide --backup-identity and --backup-key together.
If the key pointed by the value passed to the --key parameter (or --backup-key for geo-redundant backups) doesn't exist, or if the user assigned managed identity whose resource identifier is passed to the --identity parameter (ore --backup-identity for geo-redundant backups) doesn't have the required permissions to access the key, you get the following error:
Code: AzureKeyVaultKeyNameNotFound
Message: The operation could not be completed because the Azure Key Vault Key name '<key_vault_resource>' does not exist or User Assigned Identity does not have Get access to the Key (/azure/postgresql/flexible-server/concepts-data-encryption#requirements-for-configuring-data-encryption-for-azure-database-for-postgresql-flexible-server).
If your server has geo-redundant backups enabled, you can configure the key used for encryption of geo-redundant backups, and the identity used to access that key. To do so, you can use the --backup-identity and --backup-key parameters.
az postgres flexible-server update \
--resource-group <resource_group> \
--name <server> \
--backup-identity <managed_identity_to_access_georedundant_encryption_key> \
--backup-key <resource_identifier_of_georedundant_encryption_key> ...
If you pass the parameters --backup-identity and --backup-key to the az postgres flexible server update command, and refer to an existing server which doesn't have geo-redundant backup enabled, you get the following error:
Geo-redundant backup is not enabled. You cannot provide Geo-location user assigned identity and keyvault key.
Identities passed to the --identity and --backup-identity parameters, if they exist and are valid, are automatically added to the list of user assigned managed identities associated to your Azure Database for PostgreSQL flexible server. This is the case even if the command later fails with some other error. In such cases, you might want to use the az postgres flexible-server identity commands to list, assign, or remove user assigned managed identities assigned to your Azure Database for PostgreSQL flexible server. To learn more about configuring user assigned managed identities in your Azure Database for PostgreSQL flexible server, refer to associate user assigned managed identities to existing servers, dissociate user assigned managed identities to existing servers, and show the associated user assigned managed identities.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4