Hi, I am working on always encrypted feature of cosmos DB, however not able to find documentation on how I can create Data encryption key & create a container with encryption policy as always encryption does not have Bicep or ARM support.

@Kuldeep Ghildiyal You can create an Azure Cosmos dB with CMK using ARM, but I have not tested using bicep but should be possible. Whay are looking to do it using bicep? Always Encrypted is available for .NET SDK and Java SDK. Its available only for NoSQL API. Data stored in your Azure Cosmos DB account is automatically and seamlessly encrypted with keys managed by Microsoft ( service-managed keys ). Optionally, you can choose to add a second layer of encryption with keys you manage ( customer-managed keys or CMK). Please note that all the data stored in your Azure Cosmos DB account is encrypted with the customer-managed keys, except for the following metadata: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fcosmos-db%2Fhow-to-setup-customer-managed-keys%3Ftabs%3Darm-template&data=05%7C01%7Couryba%40microsoft.com%7C66001e9f25474568d7ec08db29f6f5fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638149912934590786%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Es%2BtXjo%2BLQ0tzifS1MSp4APsZy5q9UAojN0EZn7zrVA%3D&reserved=0" rel="ugc nofollow">Configure customer-managed keys for your Azure Cosmos DB account with Azure Key Vault and this is only supported on new accounts, existing ones are in preview. We are not supporting Container CMK. You can instead use Always encrypted. Please let me know if you are looking for more details. Regards, Oury

Cosmos DB always encrypted Bicep Support

Accepted answer

Oury Ba-MSFT 16,076 Reputation points Microsoft Employee

2023-03-22T16:43:46.1433333+00:00

@Kuldeep Ghildiyal

You can create an Azure Cosmos dB with CMK using ARM, but I have not tested using bicep but should be possible. Whay are looking to do it using bicep?

Always Encrypted is available for .NET SDK and Java SDK. Its available only for NoSQL API.

Data stored in your Azure Cosmos DB account is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Optionally, you can choose to add a second layer of encryption with keys you manage (customer-managed keys or CMK).

Please note that all the data stored in your Azure Cosmos DB account is encrypted with the customer-managed keys, except for the following metadata: Configure customer-managed keys for your Azure Cosmos DB account with Azure Key Vault and this is only supported on new accounts, existing ones are in preview. We are not supporting Container CMK. You can instead use Always encrypted.

Please let me know if you are looking for more details.

Regards,

Oury
Please sign in to rate this answer.
Vincent Nyanga 26 Reputation points

2023-05-24T10:56:15.92+00:00

@Oury Ba-MSFT , I just want to confirm that I understood your answer. Are you saying we cannot create container encryption policies using IaC? I have containers that I provision using Terraform and I would like to have certain paths encrypted as per the documentation.

Oury Ba-MSFT 16,076 Reputation points Microsoft Employee

2023-05-30T20:37:38.38+00:00

The data encryption key used to encrypt the data for Always Encrypted is never available to the Cosmos DB service in the raw form (just like the data being protected via Always Encrypted).

Given this, ARM template / bicep cannot be used to create the client encryption key because it requires generation and encryption of the data encryption key on the client side before it is sent to the Cosmos DB Resource Provider, which our tooling such as Azure Powershell does (New-AzCosmosDbClientEncryptionKey (Az.CosmosDB) | Microsoft Docs).

The container with encryption policy can be created using ARM templates/bicep by specifying the clientEncryptionPolicy in the container definition as shown at Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers 2022-08-15-preview - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn.

Kristian Jaeger 0 Reputation points

2023-08-28T17:27:42.9233333+00:00

Hello, is this available in terraform yet? I see that a more recent release of bicep seems to be out of preview - https://learn.microsoft.com/en-us/azure/templates/microsoft.documentdb/2023-04-15/databaseaccounts/sqldatabases/containers?pivots=deployment-language-bicep . Thanks.

Oury Ba-MSFT 16,076 Reputation points Microsoft Employee

2023-08-29T18:09:42+00:00

Kristian Jaeger Thank you for reaching out.

Yes, it is supported.

Regards,

Oury

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment

Cosmos DB always encrypted Bicep Support

0 additional answers