Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity

By default Azure Batch uses platform-managed keys to encrypt all the customer data stored in the Azure Batch Service, like certificates, job/task metadata. Optionally, you can use your own keys, i.e., customer-managed keys, to encrypt data stored in Azure Batch.

The keys you provide must be generated in Azure Key Vault, and they must be accessed with managed identities for Azure resources.

There are two types of managed identities: system-assigned and user-assigned.

You can either create your Batch account with system-assigned managed identity, or create a separate user-assigned managed identity that will have access to the customer-managed keys. Review the comparison table to understand the differences and consider which option works best for your solution. For example, if you want to use the same managed identity to access multiple Azure resources, a user-assigned managed identity will be needed. If not, a system-assigned managed identity associated with your Batch account may be sufficient. Using a user-assigned managed identity also gives you the option to enforce customer-managed keys at Batch account creation, as shown in the example below.

Create a Batch account with system-assigned managed identity

If you don't need a separate user-assigned managed identity, you can enable system-assigned managed identity when you create your Batch account.

Azure portal

In the Azure portal, when you create Batch accounts, pick System assigned in the identity type under the Advanced tab.

Screenshot of a new Batch account with system assigned identity type.

After the account is created, you can find a unique GUID in the Identity principal Id field under the Properties section. The Identity Type will show System assigned.

Screenshot showing a unique GUID in the Identity principal Id field.

You will need this value in order to grant this Batch account access to the Key Vault.

Azure CLI

When you create a new Batch account, specify SystemAssigned for the --identity parameter.

resourceGroupName='myResourceGroup'
accountName='mybatchaccount'

az batch account create \
    -n $accountName \
    -g $resourceGroupName \
    --locations regionName='West US 2' \
    --identity 'SystemAssigned'

After the account is created, you can verify that system-assigned managed identity has been enabled on this account. Be sure to note the PrincipalId, as this value will be needed to grant this Batch account access to the Key Vault.

az batch account show \
    -n $accountName \
    -g $resourceGroupName \
    --query identity

Note

The system-assigned managed identity created in a Batch account is only used for retrieving customer-managed keys from the Key Vault. This identity is not available on Batch pools. To use a user-assigned managed identity in a pool, see Configure managed identities in Batch pools.

Create a user-assigned managed identity

If you prefer, you can create a user-assigned managed identity which can be used to access your customer-managed keys.

You will need the Client ID value of this identity in order for it to access the Key Vault.

Configure your Azure Key Vault instance

The Azure Key Vault in which your keys will be generated must be created in the same tenant as your Batch account. It does not need to be in the same resource group or even in the same subscription.

Create an Azure Key Vault

When creating an Azure Key Vault instance with customer-managed keys for Azure Batch, make sure that Soft Delete and Purge Protection are both enabled.

Screenshot of the Key Vault creation screen.

Add an access policy to your Azure Key Vault instance

In the Azure portal, after the Key Vault is created, In the Access Policy under Setting, add the Batch account access using managed identity. Under Key Permissions, select Get, Wrap Key and Unwrap Key.

Screenshot showing the Add access policy screen.

In the Select field under Principal, fill in one of the following:

  • For system-assigned managed identity: Enter the principalId that you previously retrieved or the name of the Batch account.
  • For user-assigned managed identity: Enter the Client ID that you previously retrieved or the name of the user-assigned managed identity.

Screenshot of the Principal screen.

Generate a key in Azure Key Vault

In the Azure portal, go to the Key Vault instance in the key section, select Generate/Import. Select the Key Type to be RSA and RSA Key Size to be at least 2048 bits. EC key types are currently not supported as a customer-managed key on a Batch account.

Create a key

After the key is created, click on the newly created key and the current version, copy the Key Identifier under properties section. Be sure sure that under Permitted Operations, Wrap Key and Unwrap Key are both checked.

Enable customer-managed keys on a Batch account

Once you have followed the steps above, you can enable customer-managed keys on your Batch account.

Azure portal

In the Azure portal, go to the Batch account page. Under the Encryption section, enable Customer-managed key. You can directly use the Key Identifier, or you can select the key vault and then click Select a key vault and key.

Screenshot showing the Encryption section and option to enable customer-managed key

Azure CLI

After the Batch account is created with system-assigned managed identity and the access to Key Vault is granted, update the Batch account with the {Key Identifier} URL under keyVaultProperties parameter. Also set encryption_key_source as Microsoft.KeyVault.

az batch account set \
    -n $accountName \
    -g $resourceGroupName \
    --encryption_key_source Microsoft.KeyVault \
    --encryption_key_identifier {YourKeyIdentifier} 

Create a Batch account with user-assigned managed identity and customer-managed keys

Using the Batch management .NET client, you can create a Batch account that will have a user-assigned managed identity and customer-managed keys.

EncryptionProperties encryptionProperties = new EncryptionProperties()
{
    KeySource = KeySource.MicrosoftKeyVault,
    KeyVaultProperties = new KeyVaultProperties()
    {
        KeyIdentifier = "Your Key Azure Resource Manager Resource ID"
    }
};

BatchAccountIdentity identity = new BatchAccountIdentity()
{
    Type = ResourceIdentityType.UserAssigned,
    UserAssignedIdentities = new Dictionary<string, BatchAccountIdentityUserAssignedIdentitiesValue>
    {
            ["Your Identity Azure Resource Manager ResourceId"] = new BatchAccountIdentityUserAssignedIdentitiesValue()
    }
};
var parameters = new BatchAccountCreateParameters(TestConfiguration.ManagementRegion, encryption:encryptionProperties, identity: identity);

var account = await batchManagementClient.Account.CreateAsync("MyResourceGroup",
    "mynewaccount", parameters); 

Update the customer-managed key version

When you create a new version of a key, update the Batch account to use the new version. Follow these steps:

  1. Navigate to your Batch account in Azure portal and display the Encryption settings.
  2. Enter the URI for the new key version. Alternately, you can select the Key Vault and the key again to update the version.
  3. Save your changes.

You can also use Azure CLI to update the version.

az batch account set \
    -n $accountName \
    -g $resourceGroupName \
    --encryption_key_identifier {YourKeyIdentifierWithNewVersion} 

Use a different key for Batch encryption

To change the key used for Batch encryption, follow these steps:

  1. Navigate to your Batch account and display the Encryption settings.
  2. Enter the URI for the new key. Alternately, you can select the Key Vault and choose a new key.
  3. Save your changes.

You can also use Azure CLI to use a different key.

az batch account set \
    -n $accountName \
    -g $resourceGroupName \
    --encryption_key_identifier {YourNewKeyIdentifier} 

Frequently asked questions

  • Are customer-managed keys supported for existing Batch accounts? No. Customer-managed keys are only supported for new Batch accounts.
  • Can I select RSA key sizes larger than 2048 bits? Yes, RSA key sizes of 3072 and 4096 bits are also supported.
  • What operations are available after a customer-managed key is revoked? The only operation allowed is account deletion if Batch loses access to the customer-managed key.
  • How should I restore access to my Batch account if I accidentally delete the Key Vault key? Since purge protection and soft delete are enabled, you could restore the existing keys. For more information, see Recover an Azure Key Vault.
  • Can I disable customer-managed keys? You can set the encryption type of the Batch Account back to "Microsoft managed key" at any time. After this, you are free to delete or change the key.
  • How can I rotate my keys? Customer-managed keys are not automatically rotated. To rotate the key, update the Key Identifier that the account is associated with.
  • After I restore access how long will it take for the Batch account to work again? It can take up to 10 minutes for the account to be accessible again once access is restored.
  • While the Batch Account is unavailable what happens to my resources? Any pools that are running when Batch access to customer-managed keys is lost will continue to run. However, the nodes will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes will become available again and tasks will be restarted.
  • Does this encryption mechanism apply to VM disks in a Batch pool? No. For Cloud Services Configuration pools (which are deprecated), no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration pools, the OS and any specified data disks will be encrypted with a Microsoft platform managed key by default. Currently, you cannot specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the diskEncryptionConfiguration property in your Virtual Machine Configuration Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see Create a pool with disk encryption enabled
  • Is the system-assigned managed identity on the Batch account available on the compute nodes? No. The system-assigned managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key. To use a user-assigned managed identity on compute nodes, see Configure managed identities in Batch pools.

Next steps