Share via

Azure SQL Managed Instance Customed Managed Instance

Vijay Kumar 2,061 Reputation points
2025-04-04T05:11:52.41+00:00

We are planning to change from Service-managed key to Customer-managed key for one of PROD critical Azure SQL Managed Instance.

So, My question is what is the risk here? I am aware that customer have to store and maintain the key in Keyvault.

Please let me know how to risk it is? and Prons and Cons.

And what if we lost the key my any chance?

Azure SQL Database

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prasad Chaganti 775 Reputation points Microsoft External Staff Moderator
    2025-04-04T05:52:13.0433333+00:00

    Hi Vijay Kumar,
    Greetings!

    Switching from a Service-Managed Key to a Customer-Managed Key for encryption in an Azure SQL Managed Instance is a significant change, especially for a production-critical system. This involves using Azure Key Vault to store and manage your encryption keys under Transparent Data Encryption (TDE). While it offers greater control, it also introduces risks and operational considerations.

    Risks:

    • You are responsible for the lifecycle management of the key, including creation, rotation, and deletion.
    • If the key is lost or becomes inaccessible, your database will become inaccessible.
    • Managing keys requires additional operational effort and expertise.
    • If the Azure SQL Managed Instance loses access to the key in Azure Key Vault, the database will deny all connections and become inaccessible

    Pros:

    • You have full control over the encryption keys, which can enhance security and compliance.
    • Enables separation of duties in key and data management.
    • Helps meet regulatory and compliance requirements by using your own keys.
    • You can rotate keys as needed without waiting for Microsoft to do it

    Cons:

    • Managing keys adds complexity to your operations.
    • Requires setting up and maintaining Azure Key Vault.
    • If the key is lost or access to the key is revoked, the database will become inaccessible.
    • There may be additional costs associated with using Azure Key Vault

    What If You Lose the Key?

    • The database will start denying all connections and change its state to inaccessible.
    • For the first 30 minutes, if the key access issue is resolved, the database will autoheal and come back online.
    • After 30 minutes, the database will no longer autoheal. You will need to manually revalidate access to the key to bring the database back online.
    • If the key cannot be restored, the data will be permanently inaccessible

    Recommendations:

    • Regularly back up your keys and store them securely.
    • Set up monitoring and alerts for key access issues to address them promptly.
    • Maintain thorough documentation of your key management processes and procedures

    Switching to CMK gives you control and compliance benefits but shifts the burden of key management to you. The risk isn’t inherent in the technology—it’s in how well you manage it. With proper safeguards (soft delete, backups, monitoring), the risk is low to moderate. Without them, it’s high, especially if the key is lost.

    I would request you to refer the below mentioned links for more information
    https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.