Best practices for using customer-managed keys for the DICOM service
Customer-managed keys (CMK) are encryption keys that you create and manage in your own key store. By using CMK, you can have more flexibility and control over the encryption and access of your organization’s data. You use Azure Key Vault to create and manage CMK and then use the keys to encrypt the data stored by the DICOM® service.
Rotate keys often
Follow security best practices and rotate keys often. Keys used with the DICOM service must be rotated manually. To rotate a key, update the version of the existing key or set a new encryption key from a different storage location. Always make sure to keep existing keys enabled when adding new keys because they're still needed to access the data that was encrypted with them.
Update the DICOM service after changing a managed identity
If you change the managed identity in any way, such as moving your DICOM service to a different tenant or subscription, the DICOM service isn't able to access your keys until you update the service manually with an ARM template deployment. For steps, see Use an ARM template to update the encryption key.
Locate the key vault in the same tenant
The key vault must be located in the same Azure tenant as your DICOM service.
Disable public access with a firewall
When using a key vault with a firewall to disable public access, the option to Allow trusted Microsoft services to bypass this firewall must be enabled.
Next steps
Configure customer-managed keys for the DICOM service
Note
DICOM® is the registered trademark of the National Electrical Manufacturers Association for its Standards publications relating to digital communications of medical information.