When you create a cluster, the service automatically encrypts data at the service level. For greater data security, you can additionally enable double encryption.
When you enable double encryption, the cluster encrypts data in the storage account twice by using two different algorithms.
Important
- You can enable double encryption only during cluster creation.
- After you enable infrastructure encryption on your cluster, you can't disable it.
For code samples based on previous SDK versions, see the archived article.
Create an Azure Data Explorer cluster.
In the Security tab, under Enable Double Encryption, select On. To remove double encryption, select Off.
Select Next:Network> or Review + create to create the cluster.
You can enable infrastructure encryption during cluster creation by using C#.
Prerequisites
Set up a managed identity by using the Azure Data Explorer C# client:
Create your cluster
Create your cluster by using the enableDoubleEncryption property:
var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Application ID
var clientSecret = "PlaceholderClientSecret"; //Client Secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
var resourceManagementClient = new ArmClient(credentials, subscriptionId);
var resourceGroupName = "testrg";
var subscription = await resourceManagementClient.GetDefaultSubscriptionAsync();
var resourceGroup = (await subscription.GetResourceGroupAsync(resourceGroupName)).Value;
var clusters = resourceGroup.GetKustoClusters();
var clusterName = "mykustocluster";
var clusterData = new KustoClusterData(
location: AzureLocation.chinaeast2,
sku: new KustoSku(KustoSkuName.StandardE8adsV5, KustoSkuTier.Standard) { Capacity = 5 }
) { IsDoubleEncryptionEnabled = true };
await clusters.CreateOrUpdateAsync(WaitUntil.Completed, clusterName, clusterData);
Run the following command to check if you created your cluster successfully:
clusterData = (await clusters.GetAsync(clusterName)).Value.Data;
If the result contains ProvisioningState with the Succeeded value, you created your cluster successfully.
You can enable infrastructure encryption during cluster creation by using Azure Resource Manager.
You can use an Azure Resource Manager template to automate deployment of your Azure resources. To learn more about deploying to Azure Data Explorer, see Create an Azure Data Explorer cluster and database by using an Azure Resource Manager template.
Add a system-assigned identity by using an Azure Resource Manager template
Add the EnableDoubleEncryption type to tell Azure to enable infrastructure encryption (double encryption) for your cluster.
{
"apiVersion": "2020-06-14",
"type": "Microsoft.Kusto/clusters",
"name": "[variables('clusterName')]",
"location": "[resourceGroup().location]",
"properties": {
"trustedExternalTenants": [],
"virtualNetworkConfiguration": null,
"optimizedAutoscale": null,
"enableDiskEncryption": false,
"enableStreamingIngest": false,
"enableDoubleEncryption": true
}
}
Related content