Skip to main content

Customer-managed keys (CMKs) for Microsoft Foundry

This article refers to the Microsoft Foundry (new) portal.
Customer-managed key (CMK) encryption in Microsoft Foundry gives you control over encryption of your data. Use CMKs to add an extra protection layer and help meet compliance requirements with Azure Key Vault integration. Microsoft Foundry provides robust encryption capabilities, including the ability to use CMKs stored in Key Vault to help secure your sensitive data. This article explains the concept of encryption with CMKs and provides step-by-step guidance for configuring CMKs by using Key Vault. It also discusses:
  • Encryption models and access control methods like Azure role-based access control (RBAC) and vault access policies.
  • Ensuring compatibility with system-assigned managed identities and user-assigned managed identities.

Benefits of CMKs

  • The ability to use your own keys to encrypt data at rest.
  • Integration with organizational security and compliance policies.
  • The ability to rotate or revoke keys for enhanced control over access to encrypted data.

Prerequisites

To configure a CMK for Foundry, you need:
  • An active Azure subscription to create and manage Azure resources.
  • An existing key vault to store your keys. These requirements also apply:
    • Deploy the key vault and the Foundry resource in the same Azure region.
    • Enable soft delete and purge protection on the key vault to help safeguard customer-managed keys from accidental or malicious deletion (required by Azure). To create a key vault, see Quickstart: Create a key vault by using the Azure portal.
  • A managed identity configuration:
  • Key Vault permissions:
    • If you’re using Azure RBAC, assign the Key Vault Crypto User role to the managed identity.
    • If you’re using vault access policies, grant key-specific permissions to the managed identity, such as unwrapKey and wrapKey.
Before you configure a CMK, be sure to deploy your resources in a supported region. For more information on regional support for Foundry features, see Microsoft Foundry feature availability across cloud regions.

Steps to configure a CMK

Step 1: Create or import a key in the key vault

To generate a key:
  1. In the Azure portal, go to your key vault.
  2. Under Settings, select Keys.
  3. Select + Generate/Import.
  4. Enter a key name, choose the key type (such as RSA or HSM-backed), and configure key size and expiration details.
  5. Select Create to save the new key.
Keep these considerations in mind:
  • Projects can be updated from Microsoft-managed keys to CMKs but not reverted.
  • Project CMKs can be updated only to keys in the same key vault.
  • Storage-related charges for CMK encryption continue during soft-deleted retention.
For more information, see About keys. To import a key:
  1. In your key vault, go to the Keys section.
  2. Select + Generate/Import, and then choose the Import option.
  3. Upload the key material and provide the necessary details for key configuration.
  4. Follow the prompts to complete the import process.

Step 2: Grant key vault permissions to managed identities

Configure appropriate permissions for the system-assigned or user-assigned managed identity to access the key vault:
  1. In the Azure portal, go to your key vault.
  2. Select Access Control (IAM).
  3. Select + Add role assignment.
  4. Assign the Key Vault Crypto User role to the system-assigned managed identity of the Foundry resource or to the user-assigned managed identity.

Step 3: Enable the CMK in Foundry

You can enable CMKs either during the creation of a Foundry resource or by updating an existing resource. During resource creation, the wizard guides you to use a user-assigned or system-assigned managed identity. It also guides you to select a key vault where your key is stored. If you’re updating an existing Foundry resource, use these steps to enable a CMK:
  1. In the Azure portal, open the Foundry resource.
  2. Go to Resource Management > Encryption.
  3. Select Customer-Managed Keys as the encryption type.
  4. Enter the key vault URL and the key name.

Vault access: Azure RBAC vs. vault access policies

Azure Key Vault supports two models for managing access permissions:
  • Azure RBAC (recommended):
    • Provides centralized access control by using Microsoft Entra roles.
    • Simplifies permission management for resources across Azure.
    • Requires the Key Vault Crypto User role.
  • Vault access policies:
    • Allow granular access control specific to Key Vault resources.
    • Are suitable for configurations where legacy or isolated permission settings are necessary.
Choose the model that aligns with your organizational requirements.

Monitoring and rotating keys

To maintain optimal security and compliance, implement the following practices:
  • Enable Key Vault diagnostics: Monitor key usage and access activity by enabling diagnostic logging in Azure Monitor or Log Analytics.
  • Rotate keys regularly: Periodically create a new version of your key in Key Vault. Update the Foundry resource to reference the latest key version in its encryption settings.

Related content