Configure customer-managed keys using PowerShell
Azure Data Explorer encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption.
Customer-managed keys must be stored in an Azure Key Vault. You can create your own keys and store them in a key vault, or you can use an Azure Key Vault API to generate keys. The Azure Data Explorer cluster and the key vault must be in the same region, but they can be in different subscriptions. For a detailed explanation on customer-managed keys, see customer-managed keys with Azure Key Vault.
This article shows you how to configure customer-managed keys.
Configure Azure Key Vault
To configure customer-managed keys with Azure Data Explorer, you must set two properties on the key vault: Soft Delete and Do Not Purge. These properties aren't enabled by default. To enable these properties, perform Enabling soft-delete and Enabling Purge Protection in PowerShell or Azure CLI on a new or existing key vault. Only RSA keys of size 2048 are supported. For more information about keys, see Key Vault keys.
Note
Data encryption using customer managed keys is not supported on leader and follower clusters
Assign an identity to the cluster
To enable customer-managed keys for your cluster, first assign either a system-assigned or user-assigned managed identity to the cluster. You'll use this managed identity to grant the cluster permissions to access the key vault. To configure managed identities, see managed identities.
Enable encryption with customer-managed keys using PowerShell
This article shows you how to enable customer-managed keys encryption using PowerShell. By default, Azure Data Explorer encryption uses Microsoft-managed keys. Configure your Azure Data Explorer cluster to use customer-managed keys and specify the key to associate with the cluster.
Run the following command to sign in to Azure:
Connect-AzAccountSet the subscription where your cluster is registered.
Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"Run the following command to set the new key using a system assigned identity.
Update-AzKustoCluster -ResourceGroupName "mytestrg" -Name "mytestcluster" -KeyVaultPropertyKeyName "<key-name>" -KeyVaultPropertyKeyVaultUri "<key-vault-uri>" -KeyVaultPropertyKeyVersion "<key-version>"Alternatively, set the new key using a user assigned identity.
Update-AzKustoCluster -ResourceGroupName "mytestrg" -Name "mytestcluster" -KeyVaultPropertyKeyName "<key-name>" -KeyVaultPropertyKeyVaultUri "<key-vault-uri>" -KeyVaultPropertyKeyVersion "<key-version>" -KeyVaultPropertyUserIdentity "user-assigned-identity-resource-id"Run the following command and check the 'KeyVaultProperty...' properties to verify the cluster updated successfully.
Get-AzKustoCluster -Name "mytestcluster" -ResourceGroupName "mytestrg" | Format-List