Customer-managed keys - overview

Azure Managed Instance for Apache Cassandra provides the capability to encrypt data on disk using your own key. This article describes how to implement customer-managed keys with Azure Key Vault.

Prerequisites

Important

This article requires the Azure CLI version 2.30.0 or higher. If you are using Azure Cloud Shell, the latest version is already installed.

Create a cluster with system assigned identity

Note

As mentioned in pre-requisites, to avoid deployment failure, make sure you have applied the appropriate role to your virtual network before attempting to deploy a managed instance cluster:

    az role assignment create \
    --assignee a232010e-820c-4083-83bb-3ace5fc29d0b \
    --role 4d97b98b-1d4f-4787-a291-c67834d212e7 \
    --scope /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>
  1. Create a cluster by specifying identity type as SystemAssigned, replacing <subscriptionID>, <resourceGroupName>, <vnetName>, and <subnetName> with the appropriate values:

    subnet="/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>"
    cluster="thvankra-cmk-test-wcus"
    group="thvankra-nova-cmk-test"
    region="westcentralus"
    password="PlaceholderPassword"
    
    az managed-cassandra cluster create \
        --identity-type SystemAssigned \
        --resource-group $group \
        --location $region \
        --cluster-name $cluster \
        --delegated-management-subnet-id $subnet \
        --initial-cassandra-admin-password $password
    
  2. Get the identity information of the created cluster

    az managed-cassandra cluster show -c $cluster -g $group
    

    The output will include an identity section like the below. Copy principalId for later use:

      "identity": {
        "principalId": "1aa51c7f-196a-4013-a656-1ccabfdc54e0",
        "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "type": "SystemAssigned"
      }
    
  3. In Azure Key Vault, create an access policy to your keys:

    Key Vault Access policy 1

  4. Assign get, wrap and unwrap key permissions on the key vault to the cluster's principalId retrieved above. In the portal, you can also look up the Principal ID of the cluster by the cluster's name:

    Key Vault Access policy 2

    Warning

    Make sure the key vault has Purge Protection enabled. Datacenter deployments will fail without it.

  5. After you click on add to add the access policy, make sure you save it:

    Save Access policy

  6. To get the key identifier, select your key:

    Select key

  7. Click on current version:

    Select current version

  8. Save the key identifier for later use:

    Key identifier step 2

  9. Create the datacenter by replacing <key identifier> with the same key (the uri you copied in previous step) for both managed disk (managed-disk-customer-key-uri) and backup storage (backup-storage-customer-key-uri) encryption as shown below (use the same value for subnet you used earlier):

    managedDiskKeyUri = "<key identifier>"
    backupStorageKeyUri = "<key identifier>"
    group="thvankra-nova-cmk-test"
    region="westcentralus"
    cluster="thvankra-cmk-test-2"
    dc="dc1"
    nodecount=3
    subnet="/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>"
    
    az managed-cassandra datacenter create \
        --resource-group $group \
        --cluster-name $cluster \
        --data-center-name $dc \
        --managed-disk-customer-key-uri $managedDiskKeyUri \
        --backup-storage-customer-key-uri $backupStorageKeyUri \
        --node-count $nodecount \
        --delegated-subnet-id $subnet \
        --data-center-location $region \
        --sku Standard_DS14_v2
    
  10. An existing cluster with no identity information can be assigned an identity as shown below:

    az managed-cassandra cluster update --identity-type SystemAssigned -g $group -c $cluster
    

Rotating the key

  1. Below is the command to update the key:

    managedDiskKeyUri = "<key identifier>"
    backupStorageKeyUri = "<key identifier>"
    
    az managed-cassandra datacenter update \
        --resource-group $group \
        --cluster-name $cluster \ 
        --data-center-name $dc \
        --managed-disk-customer-key-uri $managedDiskKeyUri \
        --backup-storage-customer-key-uri $backupStorageKeyUri