Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following services support server-side encryption with customer managed keys in Azure Key Vault and Azure Managed HSM. For implementation details, see the service-specific documentation or the service's Microsoft Cloud Security Benchmark: security baseline (section DP-5).
AI and machine learning
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Azure AI Search | Yes | Yes | Configure customer-managed keys for data encryption in Azure AI Search |
| Azure Bot Service | Yes | Encryption of bot data in Azure Bot Service | |
| Azure Machine Learning | Yes | Customer-managed keys for workspace encryption in Azure Machine Learning | |
| Dynamics 365 | Yes | Yes | Customer-managed keys for encryption |
| Speech Services | Yes | Yes | Speech service encryption of data at rest |
Analytics
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Azure Data Explorer | Yes | Configure customer-managed keys (CMK) in Azure Data Explorer | |
| Azure Data Factory | Yes | Yes | Encryption with customer-managed keys for Azure Data Factory |
| Azure Databricks | Yes | Yes | Customer-managed keys for managed services |
| Azure HDInsight | Yes | Azure HDInsight double encryption for data at rest | |
| Azure Monitor Application Insights | Yes | Customer-managed keys in Azure Monitor | |
| Azure Monitor Log Analytics | Yes | Yes | Customer-managed keys in Azure Monitor |
| Azure Stream Analytics | Yes* | Yes | Data protection in Azure Stream Analytics |
| Azure Synapse Analytics | Yes (RSA 3072-bit) | Yes | Configure encryption at rest with customer-managed keys |
Containers
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Azure Kubernetes Service | Yes | Yes | Enable host encryption on your AKS cluster nodes |
| Container Instances | Yes | Encrypt data with a customer-managed key | |
| Container Registry | Yes | Encrypt container images with a customer-managed key |
Compute
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| App Service | Yes* | Yes | Configure customer-managed keys for App Service |
| Azure Functions | Yes* | Yes | Configure customer-managed keys for Azure Functions |
| Azure HPC Cache | Yes | Use customer-managed keys with HPC Cache | |
| Azure Managed Applications | Yes* | Yes | Azure managed applications overview |
| Azure portal | Yes* | Yes | Security in the Azure portal |
| Virtual Machine Scale Set | Yes | Yes | Overview of managed disk encryption options |
| Virtual Machines | Yes | Yes | Overview of managed disk encryption options |
Databases
Integration
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Azure Fluid Relay | Yes | Yes | Customer-managed keys for Azure Fluid Relay |
| Event Hubs | Yes | Yes | Configure customer-managed keys for encryption |
| Logic Apps | Yes | ||
| Service Bus | Yes | Yes | Configure customer-managed keys for encryption |
IoT services
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| IoT Hub Device Provisioning | Yes |
Management and governance
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| App Configuration | Yes | Use customer-managed keys to encrypt data | |
| Automation | Yes | Encryption of automation assets | |
| Azure Migrate | Yes | Tutorial: Migrate VMware VMs to Azure | |
| Azure Monitor | Yes | Yes | Customer-managed keys in Azure Monitor |
Media
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Media Services | Yes | Use your own encryption keys with Azure Media Services |
Security
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Azure Information Protection | Yes | How are the Azure Rights Management cryptographic keys managed and secured? | |
| Microsoft Defender for Cloud | Yes | Customer-managed keys in Azure Monitor | |
| Microsoft Sentinel | Yes | Yes | Encryption at rest in Microsoft Sentinel |
Storage
Other
| Product, feature, or service | Key Vault | Managed HSM | Documentation |
|---|---|---|---|
| Universal Print | Yes | Data encryption in Universal Print |
Caveats
* This service supports storing data in your own Key Vault, Storage Account, or other data persisting service that already supports server-side encryption with customer-managed key.
** Any transient data stored temporarily on disk such as page files or swap files are encrypted with a Microsoft key (all tiers) or a customer-managed key (using the Enterprise and Enterprise Flash tiers).