Find encrypted objects and information
In Azure AI Search, customer-managed encryption keys are created, stored, and managed in Azure Key Vault. If you need to determine whether an object is encrypted, or what key name or version is used in Azure Key Vault, use the REST API or an Azure SDK to retrieve the encryptionKey property from the object definition in your search service.
Objects that aren't encrypted with a customer-managed key have an empty encryptionKey property. Otherwise, you might see a definition similar to the following example.
"encryptionKey":{
"keyVaultUri":"https://demokeyvault.vault.azure.net",
"keyVaultKeyName":"myEncryptionKey",
"keyVaultKeyVersion":"eaab6a663d59439ebb95ce2fe7d5f660",
"accessCredentials":{
"applicationId":"00001111-aaaa-2222-bbbb-3333cccc4444",
"applicationSecret":"myApplicationSecret"
}
}
The encryptionKey construct is the same for all encrypted objects. It's a first-level property, on the same level as the object name and description.
Permissions for retrieving object definitions
You must have Search Service Contributor or equivalent permissions. To use key-based authentication instead, provide an admin API key. Admin permissions are required on requests that return object definitions and metadata. The easiest way to get the admin API key is through the portal.
Sign in to the Azure portal and open the search service overview page.
On the left side, select Keys and copy an admin API.
For the remaining steps, switch to PowerShell and the REST API. The portal doesn't show encryption key information for any object.
Retrieve object properties
Use PowerShell and REST to run the following commands to set up the variables and get object definitions.
Alternatively, you can also use the Azure SDK for .NET, Python, JavaScript, and Java.
First, connect to your Azure account.
Connect-AzAccount
If you have more than one active subscription in your tenant, specify the subscription containing your search service:
Set-AzContext -Subscription <your-subscription-ID>
Set up the headers used on each request in the current session. Provide the admin API key used for search service authentication.
$headers = @{
'api-key' = '<YOUR-ADMIN-API-KEY>'
'Content-Type' = 'application/json'
'Accept' = 'application/json' }
To return a list of all search indexes, set the endpoint to the indexes collection.
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.windows.net/indexes?api-version=2024-07-01&$select=name'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json
To return a specific index definition, provide its name in the path. The encryptionKey property is at the end.
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.windows.net/indexes/<YOUR-INDEX-NAME>?api-version=2024-07-01'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json
To return synonym maps, set the endpoint to the synonyms collection and then send the request.
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.windows.net/synonyms?api-version=2024-07-01&$select=name'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json
The following example returns a specific synonym map definition, including the encryptionKey property is towards the end of the definition.
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.windows.net/synonyms/<YOUR-SYNONYM-MAP-NAME>?api-version=2024-07-01'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json
Use the same pattern to return the encryptionKey property for other top-level objects such as indexers, skillsets, data sources, and index aliases.
Next steps
We recommend that you enable logging on Azure Key Vault so that you can monitor key usage.
For more information about using Azure Key or configuring customer managed encryption: