This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
In December 2022, Microsoft Database for PostgreSQL - Flexible Server announced general availability of encryption at rest with Customer Managed Keys (CMK) feature. Data encryption at rest is a very important aspect of database security, as it transforms your data into unreadable code (ciphertext) using a cryptographic algorithm. Encryption encodes data, so only programs that know how to decode it can read it. It uses an algorithm—a set of ordered steps—to alter the information so that the receiving party can't read it without applying a similar algorithm to return it to its original state. In order for unauthorized users to decode and access sensitive information, they need to first decrypt the ciphertext using a cryptographic key – a secret key randomly generated by an algorithm.
Many organizations require full control on access to the data using a customer-managed key. Data encryption with customer-managed keys for Azure Database for PostgreSQL Flexible server enables you to bring your own key (BYOK) for data protection at rest. It also allows organizations to implement separation of duties in the management of keys and data. With customer-managed encryption, you are responsible for, and in a full control of, a key's lifecycle, key usage permissions, and auditing of operations on keys.
Until now data encryption with customer-managed keys for Azure Database for PostgreSQL Flexible server supported Azure Key Vault (AKV) as encryption key store. Today we are proud to announce support for Azure Key Vault Managed HSM as a second encryption key store, in addition to Azure Key Vault.
What is HSM?
Hardware security modules (HSMs) are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates. HSMs are tested, validated and certified to the highest security standards including FIPS 140-2 and Common Criteria. Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.
Advantages of Azure Key Vault Managed HSM service as cryptographic key store.
AKV Managed HSM service provides for following advantages:
- Fully managed, highly available, single tenant HSM as a service
- Protects your data and meet compliance requirements with FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs.
- Fully integrated with Azure monitor, you can get complete logs of all activity via Azure Monitor and import logs into Azure Log Analytics for analytics and alerts.
- Compliant with data residency requirements in EU and other regions. Managed HSM doesn't store/process customer data outside the region the customer deploys the HSM instance in.
- Integrated with your on-premises HSMs. You can easily generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM.
Comparison of various Azure Key Management products is shown below:
|
Azure Key Vault Standard |
Azure Key Vault Premium |
Azure Key Vault Managed HSM | |
|
Tenancy |
Multi-Tenant |
Multi-Tenant |
Single-Tenant |
|
Compliance |
FIPS 140-2 level 1 |
FIPS 140-2 level 2 |
FIPS 140-2 level 3 |
|
High Availability |
Automatic |
Automatic |
Automatic |
|
Use cases |
Encryption at Rest |
Encryption at Rest |
Encryption at Rest |
|
Key Controls |
Customer |
Customer |
Customer |
|
Root of trust control |
Microsoft |
Microsoft |
Customer |
Using Managed HSM with PostgreSQL Flexible Server Customer Managed Key Features
Starting today, you can pick Managed HSM as key store, in addition to Azure Key Vault, when creating new PostgreSQL Flexible Server in Azure Portal with Customer Managed Key (CMK) feature, as shown in image below.
The prerequisites in terms of user defined identity and permissions are same as with Azure Key Vault, as already listed in our docs. More information on how to create Azure Key Vault Managed HSM and import keys to it is available here.
Addition of Azure Key Vault Managed HSM provides for even more compliant way to safeguard your cryptographic keys and assists in our goal to provide you with highest security and compliance offerings when you choose to deploy Microsoft Database for PostgreSQL - Flexible Server.
We invite you to learn more about data encryption in PostgreSQL - Flexible Server with Customer Managed Keys and Azure Key Vault Managed HSM by reading following resources:
- Secure PostgreSQL Flexible Server with Customer Managed Keys
- Customer Managed Keys in Azure Database for PostgreSQL - Flexible Server official docs
- How -To use Azure CLI to create Azure Database for PostgreSQL - Flexible Server
- Azure data encryption at rest
- Azure Key Vault Managed HSM Overview
- Azure Key Vault Managed HSM - Control Your Data in the Cloud
- Quick Start: Provision and activate your Azure Key Vault Managed HSM using Azure CLI
We look forward to hearing about your’ experience with this new CMK feature on Flexible server. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.
To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page.