Create and manage Azure Database for PostgreSQL - Flexible Server with data encrypted by Customer Managed Keys (CMK) using Azure REST API
APPLIES TO: 
Azure Database for PostgreSQL - Flexible Server
In this article, you learn how to create an Azure Database for PostgreSQL flexible server instance with data encrypted by customer managed keys (CMK) by using the Azure REST API. For more information on encryption with Customer Managed Keys (CMK), see overview.
Set up customer managed key during server creation
Prerequisites:
- You must have an Azure subscription and be an administrator on that subscription.
- Azure managed identity in region where the Azure Database for PostgreSQL flexible server instance will be created.
- Key Vault with key in region where the Azure Database for PostgreSQL flexible server instance will be created. Follow this tutorial to create Key Vault and generate key.
Note
API examples below are based on 2022-12-01 API version
You can create an Azure Database for PostgreSQL flexible server instance encrypted with customer managed key by using the create API:
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBForPostgreSql/flexibleServers/{serverName}?api-version=2022-12-01
{
"location": "eastus",
"identity": {
"type": "UserAssigned",
"UserAssignedIdentities": {
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userIdentity}": {}
}
},
"properties": {
"CreateMode": "Create",
"administratorLogin": "admin",
"AdministratorLoginPassword": "p@ssw0rd",
"version": "14",
"dataencryption": {
"type": "AzureKeyVault",
"primaryUserAssignedIdentityId": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userIdentity}",
"primaryKeyUri": {keyVaultUri}
}
}
}
Key Vault Uri can be copied from key properties Key Identifier field in Azure Key Vault Portal UI, as shown in image below:
You can also programmatically fetch Key Vault Uri using Azure REST API
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for