QnA Maker encryption of data at rest
QnA Maker automatically encrypts your data when it is persisted to the cloud, helping to meet your organizational security and compliance goals.
Note
The QnA Maker service is being retired on the 31st of March, 2025. A newer version of the question and answering capability is now available as part of Azure AI Language. For question answering capabilities within the Language Service, see question answering. Starting 1st October, 2022 you won’t be able to create new QnA Maker resources. For information on migrating existing QnA Maker knowledge bases to question answering, consult the migration guide.
About encryption key management
By default, your subscription uses Microsoft-managed encryption keys. There is also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offers greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. If CMK is configured for your subscription, double encryption is provided, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.
QnA Maker uses CMK support from Azure search. Configure CMK in Azure Search using Azure Key Vault. This Azure instance should be associated with QnA Maker service to make it CMK enabled.
Important
Your Azure Search service resource must have been created after January 2019 and cannot be in the free (shared) tier. There is no support to configure customer-managed keys in the Azure portal.
Enable customer-managed keys
The QnA Maker service uses CMK from the Azure Search service. Follow these steps to enable CMKs:
Create a new Azure Search instance and enable the prerequisites mentioned in the customer-managed key prerequisites for Azure AI Search.
When you create a QnA Maker resource, it's automatically associated with an Azure Search instance. This instance cannot be used with CMK. To use CMK, you'll need to associate your newly created instance of Azure Search that was created in step 1. Specifically, you'll need to update the
AzureSearchAdminKeyandAzureSearchNamein your QnA Maker resource.
Next, create a new application setting:
- Name: Set to
CustomerManagedEncryptionKeyUrl - Value: Use the value that you got in Step 1 when creating your Azure Search instance.
- Name: Set to
When finished, restart the runtime. Now your QnA Maker service is CMK-enabled.
Regional availability
Customer-managed keys are available in all Azure Search regions.
Encryption of data in transit
QnA Maker portal runs in the user's browser. Every action triggers a direct call to the respective Azure AI services API. Hence, QnA Maker is compliant for data in transit. However, as the QnA Maker portal service is hosted in West-US, it is still not ideal for non-US customers.