Use Self-Managed Encryption Keys in Confluent Cloud on Azure

Required RBAC role: OrganizationAdmin or EnvironmentAdmin.

Protect the data at rest stored in your Enterprise or Dedicated Kafka clusters in Confluent Cloud on Azure using Azure Key Vault to create and manage encryption keys.

Requirements

Self-managed encryption keys are supported only on Kafka clusters created using the self-managed encryption mode. To use self-managed encryption keys on Azure for supported Kafka cluster types, follow these requirements:

Key creation and management

Required RBAC role: OrganizationAdmin or EnvironmentAdmin.

• Create an Enterprise or Dedicated Kafka cluster on Azure using the “Self-managed” encryption mode. After provisioning your cluster, you cannot switch modes between Automatic (default) and Self-managed.
• Use Azure Key Vault to generate, use, rotate, and destroy your encryption keys.
• Enable Azure RBAC and purge protection.
• For Dedicated Kafka clusters, if you have network restrictions, enable Allow trusted Microsoft services to bypass this firewall?
• For Enterprise Kafka clusters, you must configure the Firewall and virtual networks settings (under Networking) in your Azure Key Vault to Allow public access from all networks to enable Confluent Cloud access.
• Keys created and managed using external key managers (EKM) are not supported.
• Key rotation:
  • Automatic key rotation is available using Azure Key Vault, but manual key rotation is not supported.
  • WARNING: Deleting old keys is a permanent operation that cannot be undone and results in data loss.
• If you delete a cluster, the encryption key is released after five days and is available for reuse during cluster creation. As a security best practice, encryption keys should not be reused for production clusters.

FIPS 140-2 certification

• Software-protected keys (FIPS 140-2 Level 1): Available for Azure Key Vault (Premium SKU and Standard SKU). See RSA (software-protected) keys.
• HSM-protected keys (FIPS 140-2 Level 2): Available for Azure Key Vault (Premium SKU) when using RSA-HSM (HSM-protected) keys.

Create a self-managed encryption key

A self-managed encryption key can be created in two ways:

1. From the global Encryption Keys page
2. During cluster creation

Method 1: From the global Encryption Keys page

To create a self-managed encryption key from the global Encryption Keys page:

1. In the Confluent Cloud Console, click the hamburger menu in the upper right corner.
2. Select Encryption keys from the menu.
3. Click Add new key.
4. Step 1: Choose a cloud provider - Select Microsoft Azure.
5. Step 2: Enter key details - Provide the following information:
   • Key Alias (optional): A human-friendly name to identify the key
   • Azure Key Vault Resource ID: Found in your Azure Portal under Key Vaults → select your vault → Overview → JSON View
   • Azure Key Vault Key identifier without version: The key ID from your Azure Key Vault (format: https://<vault-name>.vault.azure.net/keys/<key-name>)
   • Azure Key Vault Tenant ID: Your Microsoft Entra ID tenant ID
6. Click Register key. The key is created and will appear in the encryption keys table.
7. Step 3: Configure permissions and policy - Follow the Azure-specific instructions to configure RBAC permissions.
8. Click Finish. The key enters an initializing state which runs asynchronously and may take up to 5 minutes.

The key will show a status of “Initializing” until validation completes. Once validated, the key can be used when creating clusters.

Method 2: Create a Kafka cluster with self-managed encryption

To create an encrypted Confluent Cloud Kafka cluster on Azure that uses a self-managed encryption key:

1. Navigate to the Clusters page for your environment and click Create cluster if you are creating the first cluster in your environment, or click Add cluster if other clusters exist.

2. For Select cluster type under Create cluster, select a supported Kafka cluster type (Enterprise or Dedicated), and click Begin Configuration.

3. For Regions/zones under Create cluster, select Azure as the cloud service provider, select the Region and Availability, and then click Continue.

4. For Networking under Create cluster, select the networking type and click Continue.

5. For Security under Create cluster, select Self-managed to manage your own encryption key using Azure Key Vault.

   You can either:

   • Select an existing key: Choose from the dropdown list of previously created and validated encryption keys from the global Encryption Keys page.
   • Add a new key: Create a new encryption key during cluster creation.

   Note

   Key validation during cluster creation is asynchronous and may take a few minutes.

   If adding a new key during cluster creation:

   In a separate browser window, go to Key Vaults on your Azure Portal account, select the Azure Key vault key to use, and then enter the following information in the Confluent Cloud Console:

   Entry	Description and Location
   Azure Key Vault Resource ID	The resource ID of the Azure Key Vault. Location: Go to Key Vaults → select your vault → Overview → JSON View (to the right of Essentials) → copy the value for Resource ID.
   Azure Key Vault Key identifier without version	The key ID of the Azure Key Vault. Format: https://<vault-name>.vault.azure.net/keys/<key-name> (without the version suffix). Location: In your Key Vault → Keys → select your key → copy the Key Identifier and remove the version part.
   Azure Key Vault Tenant ID	The tenant ID of the Microsoft Entra ID associated with your subscription. Location: See Find tenant ID through the Azure portal.

   Important

   • The encryption key and your cluster must be in the same region.
   • When you create keys in Azure Key Vaults, you must:
     • Use an RSA (software-protected) key or RSA-HSM (HSM-protected) key. See Requirements for details.
     • Enable purge protection (enforces a mandatory retention period for deleted vaults and vault objects).
     • Enable Azure RBAC for access to the key. Confluent creates a customer key-specific Active Directory (AD) on our site. Use the CLI snippet provided to create matching role assignments in Azure for:
       • Key Vault Crypto Service Encryption User
       • Key Vault Reader
     • For Dedicated clusters, if you have network restrictions, enable Allow trusted Microsoft services to bypass this firewall?
     • For Enterprise clusters, you must configure the Firewall and virtual networks settings (under Networking) in your Azure Key Vault to Allow public access from all networks to enable Confluent Cloud access.

   Configure Azure permissions: While signed in to the correct cluster, copy the CLI snippet, then run the command in your terminal.

   After running the command, return to Confluent Cloud Console and click Continue.

   The Confluent Cloud cluster is created using your encryption key and is ready to use after provisioning.

Note

A successful validation results in the provisioning of your cluster. If the cluster configuration is invalid because the encryption key is not valid or not authorized for Confluent, then you get an error message. Close the modal; any invalid fields are highlighted in the original form. Reenter a valid value in the highlighted field.

If the key is not valid or not authorized for Confluent, you can revisit the policy and authorization instructions from the global Encryption Keys page. Navigate to the Encryption Keys page, find your key, and click View key details to access the permissions and policy configuration instructions.