When you create a cluster, its storage is automatically encrypted at the service level. If you require a higher level of assurance that your data is secure, you can also enable Azure Storage infrastructure level encryption, also known as double encryption. When infrastructure encryption is enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.
Important
Enabling double encryption is only possible during cluster creation.
Once infrastructure encryption is enabled on your cluster, you can't disable it.
Create an Azure AD application and service principal that can access resources. You add role assignment at the subscription scope and get the required Directory (tenant) ID, Application ID, and Client Secret.
Create your cluster
Create your cluster using the enableDoubleEncryption property:
var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";//Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";//Application ID
var clientSecret = "xxxxxxxxxxxxxx";//Client Secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
var authenticationContext = new AuthenticationContext($"https://login.windows.net/{tenantId}");
var credential = new ClientCredential(clientId, clientSecret);
var result = await authenticationContext.AcquireTokenAsync(resource: "https://management.core.windows.net/", clientCredential: credential);
var credentials = new TokenCredentials(result.AccessToken, result.AccessTokenType);
var kustoManagementClient = new KustoManagementClient(credentials)
{
SubscriptionId = subscriptionId
};
var resourceGroupName = "testrg";
var clusterName = "mykustocluster";
var location = "East US";
var skuName = "Standard_D13_v2";
var tier = "Standard";
var capacity = 5;
var sku = new AzureSku(skuName, tier, capacity);
var enableDoubleEncryption = true;
var cluster = new Cluster(location, sku, enableDoubleEncryption: enableDoubleEncryption);
await kustoManagementClient.Clusters.CreateOrUpdateAsync(resourceGroupName, clusterName, cluster);
Run the following command to check if your cluster was successfully created: