Custom question answering encryption of data at rest

Question answering automatically encrypts your data when it is persisted to the cloud, helping to meet your organizational security and compliance goals.

About encryption key management

By default, your subscription uses Microsoft-managed encryption keys. There is also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offers greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. If CMK is configured for your subscription, double encryption is provided, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.

Question answering uses CMK support from Azure search, and associates the provided CMK to encrypt the data stored in Azure search index. Please follow the steps listed in this article to configure Key Vault access for the Azure search service.

Important

Your Azure Search service resource must have been created after January 2019 and cannot be in the free (shared) tier. There is no support to configure customer-managed keys in the Azure portal.

Enable customer-managed keys

Follow these steps to enable CMKs:

  1. Go to the Encryption tab of your language resource with custom question answering enabled.
  2. Select the Customer Managed Keys option. Provide the details of your customer-managed keys and select Save.

Question Answering CMK

  1. On a successful save, the CMK will be used to encrypt the data stored in the Azure Search Index.

Important

It is recommended to set your CMK in a fresh Azure Cognitive Search service before any knowledge bases are created. If you set CMK in a language resource with existing knowledge bases, you might lose access to them. Read more about working with encrypted content in Azure Cognitive search.

Note

To request the ability to use customer-managed keys, fill out and submit the Cognitive Services Customer-Managed Key Request Form.

Regional availability

Customer-managed keys are available in all Azure Search regions.

Encryption of data in transit

Language Studio runs in the user's browser. Every action triggers a direct call to the respective Cognitive Service API. Hence, question answering is compliant for data in transit.

Next steps