Enable double encryption for your cluster in Azure Data Explorer

When you create a cluster, data is automatically encrypted at the service level. For greater data security, you can additionally enable double encryption.

When double encryption is enabled, data in the storage account is encrypted twice, using two different algorithms.

Important

• Enabling double encryption is only possible during cluster creation.
• Once infrastructure encryption is enabled on your cluster, you can't disable it.

For code samples based on previous SDK versions, see the archived article.

Azure portal

1. Create an Azure Data Explorer cluster

2. In the Security tab > Enable Double Encryption, select On. To remove the double encryption, select Off.

3. Select Next:Network> or Review + create to create the cluster.

   

C#

You can enable infrastructure encryption during cluster creation using C#.

Prerequisites

Set up a managed identity using the Azure Data Explorer C# client:

• Install the Azure Data Explorer NuGet package.
• Install the Azure.Identity NuGet package for authentication.
• Create a Microsoft Entra application and service principal that can access resources. You add role assignment at the subscription scope and get the required Directory (tenant) ID, Application ID, and Client Secret.

Create your cluster

1. Create your cluster using the enableDoubleEncryption property:

   var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Directory (tenant) ID
   var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Application ID
   var clientSecret = "PlaceholderClientSecret"; //Client Secret
   var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
   var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
   var resourceManagementClient = new ArmClient(credentials, subscriptionId);
   var resourceGroupName = "testrg";
   var subscription = await resourceManagementClient.GetDefaultSubscriptionAsync();
   var resourceGroup = (await subscription.GetResourceGroupAsync(resourceGroupName)).Value;
   var clusters = resourceGroup.GetKustoClusters();
   var clusterName = "mykustocluster";
   var clusterData = new KustoClusterData(
       location: AzureLocation.EastUS,
       sku: new KustoSku(KustoSkuName.StandardE8adsV5, KustoSkuTier.Standard) { Capacity = 5 }
   ) { IsDoubleEncryptionEnabled = true };
   await clusters.CreateOrUpdateAsync(WaitUntil.Completed, clusterName, clusterData);
   

2. Run the following command to check if your cluster was successfully created:

   clusterData = (await clusters.GetAsync(clusterName)).Value.Data;
   

   If the result contains ProvisioningState with the Succeeded value, then the cluster was created successfully.

ARM template

You can enable infrastructure encryption during cluster creation using Azure Resource Manager.

An Azure Resource Manager template can be used to automate deployment of your Azure resources. To learn more about deploying to Azure Data Explorer, see Create an Azure Data Explorer cluster and database by using an Azure Resource Manager template.

Add a system-assigned identity using an Azure Resource Manager template

Add the 'EnableDoubleEncryption' type to tell Azure to enable infrastructure encryption (double encryption) for your cluster.

{
    "apiVersion": "2020-06-14",
    "type": "Microsoft.Kusto/clusters",
    "name": "[variables('clusterName')]",
    "location": "[resourceGroup().location]",
    "properties": {
        "trustedExternalTenants": [],
        "virtualNetworkConfiguration": null,
        "optimizedAutoscale": null,
        "enableDiskEncryption": false,
        "enableStreamingIngest": false,
        "enableDoubleEncryption": true
    }
}

Limitations

The following limitations apply to the encryption of selected volumes:

• Performance impact of up to a single digit
• Can't be used with sandboxes

Related content

• Enable disk encryption for your cluster
• Check cluster health