Managed HSM support for Azure Database for MySQL – Flexible Server (General Availability)

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

We're happy to announce general availability of Azure Key Vault Managed HSM support for customer managed keys (CMK) in Azure Database for MySQL – Flexible Server!  

 

What is Managed HSM? 

 

Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. It ensures your data is stored and processed only within the region that hosts the HSM, ensuring data residency. Each Managed HSM instance is dedicated to a single customer and consists of a cluster of HSM partitions. All cryptographic operations, such as encryption, decryption, and validation, are performed inside the HSM.

 

Benefits of Managed HSM support for Azure Database for MySQL – Flexible Server 

 

The Managed HSM feature allows you to use your own HSM-backed encryption keys to protect your data at rest in MySQL – Flexible Server instances. You can generate HSM-backed keys and import the encryption keys from a physical on-premises HSM using CMK’s bring your own key (BYOK) feature while maintaining full control over the keys. 

 

Configuring Managed HSM for Azure Database for MySQL – Flexible Server

 

You can easily configure an Azure Key Vault Managed HSM for new or existing Azure Database for MySQL flexible servers by using the Azure CLI or the Azure Portal, as shown in the following screenshot: 

 

demomysql flex server configure data encryption portal.png

 

When configuring Managed HSM, note that you must: 

  • Deploy the Managed HSM in the same region as the MySQL flexible server. 
  • Enable soft delete and purge protection. 
  • Assign the User-assigned Managed Identity (UMI) the "Managed HSM Crypto Service Encryption User" role in RBAC.

 

Learn more 

 

For more details about this feature, please see the article Data encryption with customer managed keys - Azure Database for MySQL - Flexible Server. 

 

If you have any queries or suggestions, please let us know by leaving a comment below or by contacting directly us at AskAzureDBforMySQL@service.microsoft.com. 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.