Tutorial: Use the Azure portal to use customer-managed keys or BYOK with Media Services
Warning
Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.
With the 2020-05-01 or later version of the API, you can use a customer-managed RSA key with an Azure Media Services account that has a system-managed identity.This tutorial covers the steps in the Azure portal.
The services used are:
- Azure Storage
- Azure Key Vault
- Azure Media Services
In this tutorial, you'll learn to use the Azure portal to:
- Create a resource group.
- Create a storage account with a system-managed identity.
- Create a Media Services account with a system-managed identity.
- Create a key vault for storing a customer-managed RSA key.
Prerequisites
An Azure subscription.
If you don't have an Azure subscription, create a trial account.
System-managed keys
Create a resource group with the portal
- On the Home screen of the Azure portal, select Create a resource. The Marketplace screen will appear.
- Select Resource groups. A listing of resource groups will appear.
- Select Add. The Create a resource group screen will appear.
- Select the subscription you want to use for this resource group.
- Enter the resource group name in the Resource group field.
- Select the Region for the resource group.
- Select Review + create.
Important
For the following storage account creation steps, you will select the system-managed key choice in Advanced settings.
Create a Media Services account with the portal
Sign in at the Azure portal.
Select +Create a resource.
In the search field, enter "Media Services" and select Enter. Search results will appear including a card for Media Services.
Select the Media Services card. The Media Services detail screen will appear.
Select Create. The Create a Media Services account screen will appear.
In the Create a Media Services account section enter required values.
Name Description Account Name Enter the name of the new Media Services account. A Media Services account name is all lowercase letters or numbers with no spaces, and is 3 to 24 characters in length. Subscription If you have more than one subscription, select one from the list of Azure subscriptions that you have access to. Resource Group Select the new or existing resource. A resource group is a collection of resources that share lifecycle, permissions, and policies. Learn more here. Location Select the geographic region that will be used to store the media and metadata records for your Media Services account. This region will be used to process and stream your media. Only the available Media Services regions appear in the drop-down list box. Storage Account Select a storage account to provide blob storage of the media content from your Media Services account. You can select an existing storage account in the same geographic region as your Media Services account, or you can create a new storage account. A new storage account is created in the same region. The rules for storage account names are the same as for Media Services accounts.
You must have one Primary storage account and you can have any number of Secondary storage accounts associated with your Media Services account. You can use the Azure portal to add secondary storage accounts. For more information, see Azure Storage accounts with Azure Media Services accounts.
The Media Services account and all associated storage accounts must be in the same Azure subscription. It is strongly recommended to use storage accounts in the same location as the Media Services account to avoid additional latency and data egress costs.Advanced settings Select a previously created user managed identity from the dropdown list or create a new user managed identity by selecting the link. Important
All new Media Services accounts require a user-managed identity. Previously created accounts that have a system-managed identity have not changed.
Select the checkbox next to "I have all the rights to use the content/file, and agree that it will be handled per the Online Services Terms and the Microsoft Privacy Statement." to confirm and continue.
Click Review + create or add tags with the Next:Tags button.
Click Create on the following screen. Deployment will begin.
Create a key vault with the portal
- Enter Key vault into the main search field and select Key Vault when it appears in the search results.
- Select Create key vault. The Create key vault screen appears.
- Select the Resource group you want to use or create a new one.
- Entering a name into the Key Vault name field.
- Select the region from the Region dropdown list.
- Select a pricing tier from the Pricing tier dropdown list.
- Enter the number of days in the Days to retain deleted vaults field.
- Enable or disable purge protection using the Purge protection radio buttons.
- Select Next. The access policy screen will appear.
- Select either the Vault access policy or Azure role-based access control to give the user appropriate permissions.
- Optional: Select one or more of the Resource access checkboxes.
- Optional: Select the user in the User list if you want finer grained control of access.
- Select Next. The Networking screen will appear.
- Select or deselect the Enable public access checkbox. If you choose to disable public access:
- Select the All networks radio button to allow all public access, or select the Selected networks radio button to restrict network traffic to selected IPs.
- Select the + Add a virtual network down arrow and select either Add existing virtual networks or Add new virtual network. In the first case, select the already created virtual network. In the second case, the Create virtual network screen appears and you will use it to create a virtual network.
- Select Allow trusted Microsoft services to bypass this firewall checkbox if you want to give access to other services.
- Optional: Select Create a private endpoint if you would like to create a private endpoint for the key vault. The Create private endpoint screen will appear.
- Select the subscription you want to work with from the Subscription dropdown menu if it isn't already selected along with the resource group.
- Select a location (region) from the Location dropdown list.
- Enter a name for the private endpoint in the Name field.
- Select the already created virtual network from the Virtual network dropdown list.
- Select the subnet from the Subnet dropdown list.
- Select Integrate with private DNS zone toggle to toggle it between Yes or No.
- Select the zone from the Private DNS zone dropdown list.
- Select Review + create. The portal will check for any issues with the setup.
- Select Create to deploy the key vault.
Enable customer-managed keys on a Media Services account in the Azure portal
- After creating the Media Services account, navigate to it in the Azure portal.
- Select Encryption.
- Select Customer-managed keys under Encryption Type.
- Select the identity from the Managed identity dropdown list.
- Select the link Select from key vault radio button.
- Select the Select key vault button. The Select a key screen will appear.
- Select the key vault from the Key vault dropdown list.
- Select the key from the Key list or create a new one.
- Select Save.
Important
For the following storage encryption steps, you will select the customer-managed key choice.
Set the encryption on a storage account
- In the Azure portal, navigate to the subscription you want to work with.
- Select Resources. The Resources screen will appear with a listing of all of the resources for that subscription.
- Enter the name (or part of the name) of the storage account you want to encrypt in the Search field at the top of the screen. Matches will appear below the search field.
- Select the storage account you are looking for. The storage account screen will appear.
- Select Encryption.
- Select either the Microsoft managed keys or Customer managed keys radio button.
Use Microsoft-managed keys
By default, data in the storage account is encrypted using Microsoft managed keys.
Use customer-managed keys
- Select Customer managed keys.
- Select either Enter key URI or Select from key vault.
- If you select Enter key URI, enter the key URI in the Key URI field and select the subscription. (It may already be selected for you.)
- If you select Select from key vault, then select Select a key vault and key. The Select key from Azure Key Vault screen will appear.
- Select the Key Vault you want to use and either select a key you already have in your key vault or create a new key.
- If you choose to create a new key, select Generate or Import from the Options drop down. You can import only RSA keys.
- To generate a new key, give the key a name in the Name field then select the Key type:
- RSA - Key Sizes: 2048,3072 or 4096. This is what most customers choose.
- EC - Elliptic Curve Names: P-256, P-384, P-521, or P-256K
- Optionally, you can set the activation and expiration dates of the key.
- Select Yes to enable automatic key rotation.
- Select Create.
- To import a key, select the file to upload by clicking anywhere in the Select a file field.
- Give the key a name in the Name field.
- Optionally, you can set the activation and expiration dates of the key.
- Select Yes to enable automatic key rotation.
- Select Create.
- Select Select to select this key to encrypt your storage account. You will be taken back to the Encryption screen.
- IMPORTANT! Select Save to save your encryption settings or everything you just did will be lost.
Change the key
Media Services automatically detects when the key is changed. OPTIONAL: To test this process, create another key version for the same key. Media Services should detect that the key has been changed.
Clean up resources
If you're not going to continue to use the resources that you created and you don't want to continue to be billed, delete them.