Use Self-managed Encryption Keys on Azure on Confluent Cloud¶
Required RBAC role: OrganizationAdmin or EnvironmentAdmin.
Protect the data at rest stored in your Confluent Cloud Dedicated clusters on Azure using Azure Key Vault to create and manage encryption keys.
Requirements¶
Self-managed encryption keys are supported only on Dedicated Kafka clusters created using the Self-managed encryption mode. To use self-managed encryption keys on Azure for Dedicated Kafka clusters, follow these requirements:
Key creation and management¶
Required RBAC role: OrganizationAdmin or EnvironmentAdmin.
- Create a Dedicated Kafka cluster on Azure using the “Self-managed” encryption mode. After provisioning your Dedicated cluster, you cannot switch modes between Automatic (default) and Self-managed.
- Use Azure Key Vault to generate, use, rotate, and destroy your encryption keys.
- Enable Azure RBAC and purge protection.
- Keys created and managed using external key managers (EKM) are not supported.
- Automatic key rotation is available using Azure Key Vault. Manual key rotation is not supported.
- If you delete a cluster, the encryption key is released after five days and is available for reuse during cluster creation. As a security best practice, encryption keys should not be reused for production clusters.
FIPS 140-2 certification¶
- Software-protected keys (FIPS 140-2 Level 1): Available for Azure Key Vault (Premium SKU and Standard SKU). See RSA (software-protected) keys.
- HSM-protected keys (FIPS 140-2 Level 2): Available for Azure Key Vault (Premium SKU) when using RSA-HSM (HSM-protected) keys.
Create a Dedicated Kafka cluster with self-managed encryption¶
To create an encrypted Confluent Cloud Dedicated Kafka cluster on Azure that uses a self-managed encryption key:
Navigate to the Clusters page for your environment and click Create cluster if you are creating the first cluster in your environment, or click Add cluster if other clusters exist.
For Select cluster type under Create cluster, select Dedicated and click Begin Configuration.
For Regions/zones under Create cluster, select Azure as the cloud service provider, select the Region and Availability, and then click Continue.
For Networking under Create cluster, select the networking type and click Continue.
For Security under Create cluster, select Self-managed to manage your own encryption key using Azure Key Vault. The Azure Vault Key section appears.
Step 1: In a separate browser window, go to Key Vaults on your Azure Portal account, select the Azure Key vault key to use, and then enter the following information in the Confluent Cloud Console:
Entry Description Azure Key Vault Resource ID The resource ID of the Azure Key Vault. To find the resource ID, go to Key Vaults on your Azure Portal account, select the Azure Key vault key to use, and then click Overview. Click JSON View (to the right of Essentials) and then copy the value for Resource ID. Azure Key Vault Key identifier without version The key ID of the Azure Key Vault. Azure Key Vault Tenant ID The tenant ID of the Microsoft Entra ID associated with your subscription. See Find tenant ID through the Azure portal. Click Create new if this is your first time, or click Use existing if you have an available key.
Important
- The encryption key and your cluster must be in the same region.
- When you create keys in Azure Key Vaults, you must:
- Use an RSA (software-protected) key or RSA-HSM (HSM-protected) key. See Requirements for details.
- Enable purge protection (enforces a mandatory retention period for deleted vaults and vault objects).
- Enable Azure RBAC for access to the key. Confluent creates a customer key-specific Active Directory (AD) on our site. Use the CLI snippet provided to create matching role assignments in Azure for:
- If you have network restrictions, enable “Allow trusted Microsoft services to bypass this firewall?”.
Step 2: While signed in to the correct cluster, copy the CLI snippet, then run the command in your terminal.
After running the command, return to Confluent Cloud Console and click Continue.
The Confluent Cloud cluster is created using your encryption key and is ready to use after provisioning.
Note
A successful validation results in the provisioning of your cluster. If the cluster configuration is invalid because the encryption key is not valid or not authorized for Confluent, then you get an error message. Close the modal; any invalid fields are highlighted in the original form. Reenter a valid value in the highlighted field.