Povratne informacije

Tutorial: Use the Azure portal to use customer-managed keys or BYOK with Media Services

  • Članak
  • 6 min. za čitanje

With the 2020-05-01 or later version of the API, you can use a customer-managed RSA key with an Azure Media Services account that has a system-managed identity.This tutorial covers the steps in the Azure portal.

The services used are:

  • Azure Storage
  • Azure Key Vault
  • Azure Media Services

In this tutorial, you'll learn to use the Azure portal to:

  • Create a resource group.
  • Create a storage account with a system-managed identity.
  • Create a Media Services account with a system-managed identity.
  • Create a key vault for storing a customer-managed RSA key.

Prerequisites

An Azure subscription.

If you don't have an Azure subscription, create a free trial account.

System-managed keys

Create a resource group with the portal

  1. On the Home screen of the Azure portal, select Create a resource. The Marketplace screen will appear.
  2. Select Resource groups. A listing of resource groups will appear.
  3. Select Add. The Create a resource group screen will appear.
  4. Select the subscription you want to use for this resource group.
  5. Enter the resource group name in the Resource group field.
  6. Select the Region for the resource group.
  7. Select Review + create.

Important

For the following storage account creation steps, you will select the system-managed key choice in Advanced settings.

Create a Media Services account with the portal

  1. Sign in at the Azure portal.

  2. Click +Create a resource > Media > Media Services.

  3. In the Create a Media Services account section enter required values.

    Name Description
    Account Name Enter the name of the new Media Services account. A Media Services account name is all lowercase letters or numbers with no spaces, and is 3 to 24 characters in length.
    Subscription If you have more than one subscription, select one from the list of Azure subscriptions that you have access to.
    Resource Group Select the new or existing resource. A resource group is a collection of resources that share lifecycle, permissions, and policies. Learn more here.
    Location Select the geographic region that will be used to store the media and metadata records for your Media Services account. This region will be used to process and stream your media. Only the available Media Services regions appear in the drop-down list box.
    Storage Account Select a storage account to provide blob storage of the media content from your Media Services account. You can select an existing storage account in the same geographic region as your Media Services account, or you can create a new storage account. A new storage account is created in the same region. The rules for storage account names are the same as for Media Services accounts.

    You must have one Primary storage account and you can have any number of Secondary storage accounts associated with your Media Services account. You can use the Azure portal to add secondary storage accounts. For more information, see Azure Storage accounts with Azure Media Services accounts.

    The Media Services account and all associated storage accounts must be in the same Azure subscription. It is strongly recommended to use storage accounts in the same location as the Media Services account to avoid additional latency and data egress costs.
    Advanced settings Select a previously created user managed identity from the dropdown list or create a new user managed identity by selecting the link.

    Important

    All new Media Services accounts require a user-managed identity. Previously created accounts that have a system-managed identity have not changed.

  4. Select the checkbox next to "I have all the rights to use the content/file, and agree that it will be handled per the Online Services Terms and the Microsoft Privacy Statement." to confirm and continue.

  5. Click Review + create or add tags with the Next:Tags button.

  6. Click Create on the following screen. Deployment will begin.

Create a key vault with the portal

  1. From the Home screen of the Azure portal, select Create a resource.
  2. Enter Key vault into the Marketplace search field and select Key Vault when it appears in the search results.
  3. Select Create. The Create key vault screen appears.
  4. Select the Resource group you want to use or create a new one.
  5. Give the Key Vault a name by entering it into the Key Vault field.
  6. For this example, you will leave the default setting the way they are for the Recovery options.
  7. Select Next: Access policy >. The access policy screen will appear.
  8. Give the user listed for the key vault sufficient permissions. The default permissions should be enough.
  9. Select Next: Networking. The Networking screen will appear.
  10. Select the type of endpoint you want to use.
  11. Click Review + create.

Enable customer-managed keys on a Media Services account in the portal

  1. After creating the Media Services account, go to it in the portal.
  2. Select Encryption (new).
  3. Select Customer-managed keys under Encryption Type.
  4. Select the link Select a key vault and key
  5. Either pick an existing key or create a new one.
  6. Select Save.

Important

For the following storage encryption steps, you will select the customer-managed key choice.

Set the encryption on a storage account

  1. In the Azure portal, enter the name of the storage account you want to encrypt in the Search field at the top of the screen. Matches will appear below the search field.
  2. Select the storage account you are looking for. The storage account screen will appear.
  3. Select Encryption.
  4. Select either Microsoft managed keys or Customer managed keys.

Use Microsoft-managed keys

By default, data in the storage account is encrypted using Microsoft managed keys.

Use customer-managed keys

  1. Select Customer managed keys.
  2. Select either Enter key URI or Select from key vault.
    1. If you select Enter key URI, enter the key URI in the Key URI field and select the subscription. (It may already be selected for you.)
    2. If you select Select from key vault, you will then select Select a key vault and key. The Select key from Azure Key Vault screen will appear.
  3. Select the Key Vault you want to use and either select a key you already have in your key vault or create a new key.
    1. If you choose to create a new key, select Generate or Import from the Options drop down. You can import only RSA keys.
    2. To generate a new key, give the key a name in the Name field then select the Key type:
      1. RSA - Key Sizes: 2048,3072 or 4096. This is what most customers choose.
      2. EC - Elliptic Curve Names: P-256, P-384, P-521, or P-256K
      3. Optionally, you can set the activation and expiration dates of the key.
      4. Select Yes to enable automatic key rotation.
      5. Select Create.
    3. To import a key, select the file to upload by clicking anywhere in the Select a file field.
      1. Give the key a name in the Name field.
      2. Optionally, you can set the activation and expiration dates of the key.
      3. Select Yes to enable automatic key rotation.
      4. Select Create.
    4. Select Select to select this key to encrypt your storage account. You will be taken back to the Encryption screen.
  4. IMPORTANT! Select Save to save your encryption settings or everything you just did will be lost.

Change the key

Media Services automatically detects when the key is changed. OPTIONAL: To test this process, create another key version for the same key. Media Services should detect that the key has been changed.

Clean up resources

If you're not going to continue to use the resources that you created and you don't want to continue to be billed, delete them.