Enable double encryption for your cluster in Azure Data Explorer

Article
2025-02-05

When you create a cluster, data is automatically encrypted at the service level. For greater data security, you can additionally enable double encryption.

When double encryption is enabled, data in the storage account is encrypted twice, using two different algorithms.

Important

Enabling double encryption is only possible during cluster creation.
Once infrastructure encryption is enabled on your cluster, you can't disable it.

For code samples based on previous SDK versions, see the archived article.

Create an Azure Data Explorer cluster
In the Security tab > Enable Double Encryption, select On. To remove the double encryption, select Off.
Select Next:Network> or Review + create to create the cluster.

You can enable infrastructure encryption during cluster creation using C#.

Prerequisites

Set up a managed identity using the Azure Data Explorer C# client:

Install the Azure Data Explorer NuGet package.
Install the Azure.Identity NuGet package for authentication.
Create a Microsoft Entra application and service principal that can access resources. You add role assignment at the subscription scope and get the required Directory (tenant) ID, Application ID, and Client Secret.

Create your cluster

Create your cluster using the enableDoubleEncryption property:

var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Application ID
var clientSecret = "PlaceholderClientSecret"; //Client Secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
var resourceManagementClient = new ArmClient(credentials, subscriptionId);
var resourceGroupName = "testrg";
var subscription = await resourceManagementClient.GetDefaultSubscriptionAsync();
var resourceGroup = (await subscription.GetResourceGroupAsync(resourceGroupName)).Value;
var clusters = resourceGroup.GetKustoClusters();
var clusterName = "mykustocluster";
var clusterData = new KustoClusterData(
    location: AzureLocation.chinaeast2,
    sku: new KustoSku(KustoSkuName.StandardE8adsV5, KustoSkuTier.Standard) { Capacity = 5 }
) { IsDoubleEncryptionEnabled = true };
await clusters.CreateOrUpdateAsync(WaitUntil.Completed, clusterName, clusterData);

Run the following command to check if your cluster was successfully created:
```
clusterData = (await clusters.GetAsync(clusterName)).Value.Data;
```
If the result contains ProvisioningState with the Succeeded value, then the cluster was created successfully.

You can enable infrastructure encryption during cluster creation using Azure Resource Manager.

An Azure Resource Manager template can be used to automate deployment of your Azure resources. To learn more about deploying to Azure Data Explorer, see Create an Azure Data Explorer cluster and database by using an Azure Resource Manager template.

Add a system-assigned identity using an Azure Resource Manager template

Add the 'EnableDoubleEncryption' type to tell Azure to enable infrastructure encryption (double encryption) for your cluster.

{
    "apiVersion": "2020-06-14",
    "type": "Microsoft.Kusto/clusters",
    "name": "[variables('clusterName')]",
    "location": "[resourceGroup().location]",
    "properties": {
        "trustedExternalTenants": [],
        "virtualNetworkConfiguration": null,
        "optimizedAutoscale": null,
        "enableDiskEncryption": false,
        "enableStreamingIngest": false,
        "enableDoubleEncryption": true
    }
}

Enable double encryption for your cluster in Azure Data Explorer

Related content

Additional resources