Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM

The following services support server-side encryption with customer managed keys in Azure Key Vault and Azure Managed HSM. For implementation details, see the service-specific documentation or the service's Microsoft Cloud Security Benchmark: security baseline (section DP-5).

AI and machine learning

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure AI Search	Yes	Yes	Configure customer-managed keys for data encryption in Azure AI Search
Azure AI services	Yes	Yes	Customer-managed keys for encryption
Azure AI Foundry	Yes		Encryption of data at rest in Azure AI services
Azure Bot Service	Yes		Encryption of bot data in Azure Bot Service
Azure Health Bot	Yes		Configure customer-managed keys (CMK) for Azure Health Bot
Azure Machine Learning	Yes		Customer-managed keys for workspace encryption in Azure Machine Learning
Azure OpenAI	Yes	Yes	Azure OpenAI Service encryption of data at rest
Content Moderator	Yes	Yes	Content Moderator encryption of data at rest
Dataverse	Yes	Yes	Customer-managed keys in Dataverse
Dynamics 365	Yes	Yes	Customer-managed keys for encryption
Face	Yes	Yes	Face service encryption of data at rest
Language Understanding	Yes	Yes	Customer-managed keys with Azure Key Vault
Personalizer	Yes	Yes	Encryption of data at rest in Personalizer
Power Platform	Yes	Yes	Customer-managed keys in Power Platform
QnA Maker	Yes	Yes	QnA Maker encryption of data at rest
Speech Services	Yes	Yes	Speech service encryption of data at rest
Translator Text	Yes	Yes	Translator encryption of data at rest

Analytics

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Data Explorer	Yes		Configure customer-managed keys (CMK) in Azure Data Explorer
Azure Data Factory	Yes	Yes	Encryption with customer-managed keys for Azure Data Factory
Azure Data Lake Store	Yes (RSA 2048-bit)
Azure Data Manager for Energy	Yes		Manage data security and encryption
Azure Databricks	Yes	Yes	Customer-managed keys for managed services
Azure HDInsight	Yes		Azure HDInsight double encryption for data at rest
Azure Monitor Application Insights	Yes		Customer-managed keys in Azure Monitor
Azure Monitor Log Analytics	Yes	Yes	Customer-managed keys in Azure Monitor
Azure Stream Analytics	Yes*	Yes	Data protection in Azure Stream Analytics
Azure Synapse Analytics	Yes (RSA 3072-bit)	Yes	Configure encryption at rest with customer-managed keys
Microsoft Fabric	Yes		Customer-managed key (CMK) encryption and Microsoft Fabric
Power BI Embedded	Yes		Using your own key for Power BI encryption (Preview)

Containers

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Kubernetes Service	Yes	Yes	Enable host encryption on your AKS cluster nodes
Azure Red Hat OpenShift	Yes		Bring your own keys (BYOK) with Azure Red Hat OpenShift
Container Instances	Yes		Encrypt data with a customer-managed key
Container Registry	Yes		Encrypt container images with a customer-managed key

Compute

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
App Service	Yes*	Yes	Configure customer-managed keys for App Service
Azure Functions	Yes*	Yes	Configure customer-managed keys for Azure Functions
Azure HPC Cache	Yes		Use customer-managed keys with HPC Cache
Azure Managed Applications	Yes*	Yes	Azure managed applications overview
Azure portal	Yes*	Yes	Security in the Azure portal
Azure VMware Solution	Yes	Yes	Configure customer-managed keys in Azure VMware Solution
Batch	Yes		Use customer-managed keys with Batch accounts
SAP HANA	Yes
Site Recovery	Yes		Enable replication with customer-managed keys
Virtual Machine Scale Set	Yes	Yes	Overview of managed disk encryption options
Virtual Machines	Yes	Yes	Overview of managed disk encryption options

Databases

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Cosmos DB	Yes	Yes	Configure customer-managed keys using Azure Key Vault, Configure customer-managed keys using Azure Key Vault Managed HSM
Azure Database for MySQL - Flexible Server	Yes	Yes	Data encryption with customer-managed keys in Azure Database for MySQL - Flexible Server
Azure Database for MySQL - Single Server	Yes		Azure Database for MySQL data encryption with a customer-managed key
Azure Database for PostgreSQL - Flexible Server	Yes	Yes	Data encryption with customer-managed keys in Azure Database for PostgreSQL - Flexible Server
Azure Database for PostgreSQL - Single Server	Yes	Yes	Data encryption with customer-managed keys in Azure Database for PostgreSQL - Single Server
Azure Managed Instance for Apache Cassandra	Yes		Configure customer-managed keys for encryption
Azure SQL Database	Yes (RSA 3072-bit)	Yes	Bring your own key (BYOK) support for Transparent Data Encryption (TDE)
Azure SQL Managed Instance	Yes (RSA 3072-bit)	Yes	Bring your own key (BYOK) support for Transparent Data Encryption (TDE)
SQL Server on Azure VM	Yes		Configure Azure Key Vault integration for SQL Server on Azure VMs
SQL Server on Virtual Machines	Yes		Transparent data encryption for SQL Server on Azure VM
SQL Server Stretch Database	Yes (RSA 3072-bit)
Table Storage	Yes		Customer-managed keys for Azure Storage encryption

Hybrid + multicloud

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Stack Edge	Yes		Protect data at rest on Azure Stack Edge Pro R

Integration

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Fluid Relay	Yes	Yes	Customer-managed keys for Azure Fluid Relay
Azure Health Data Services	Yes		Configure customer-managed keys for Azure Health Data Services DICOM, Configure customer-managed keys for Azure Health Data Services FHIR
Event Hubs	Yes	Yes	Configure customer-managed keys for encryption
Logic Apps	Yes
Service Bus	Yes	Yes	Configure customer-managed keys for encryption

IoT services

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Device Update for IoT Hub	Yes	Yes	Data encryption for Device Update for IoT Hub
IoT Hub Device Provisioning	Yes

Management and governance

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
App Configuration	Yes		Use customer-managed keys to encrypt data
Automation	Yes		Encryption of automation assets
Azure Migrate	Yes		Tutorial: Migrate VMware VMs to Azure
Azure Monitor	Yes	Yes	Customer-managed keys in Azure Monitor

Media

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Communication Services	Yes		Data encryption in Azure Communication Services
Media Services	Yes		Use your own encryption keys with Azure Media Services

Security

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Azure Information Protection	Yes		How are the Azure Rights Management cryptographic keys managed and secured?
Microsoft Defender for Cloud	Yes		Customer-managed keys in Azure Monitor
Microsoft Defender for IoT	Yes
Microsoft Sentinel	Yes	Yes	Encryption at rest in Microsoft Sentinel

Storage

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Archive Storage	Yes		Customer-managed keys for Azure Storage encryption
Azure Backup	Yes	Yes	Encrypt backup data using customer-managed keys
Azure Cache for Redis	Yes**	Yes	Configure disk encryption for Azure Cache for Redis instances using customer managed keys
Azure Data Box	Yes		Use a customer-managed key to secure your Data Box
Azure Managed Lustre	Yes		Use customer-managed encryption keys with Azure Managed Lustre
Azure NetApp Files	Yes	Yes	Configure customer-managed keys for Azure NetApp Files volume encryption
Blob Storage	Yes	Yes	Customer-managed keys for Azure Storage encryption
Data Lake Storage Gen2	Yes	Yes	Customer-managed keys for Azure Storage encryption
Disk Storage	Yes	Yes	Azure Disk Encryption for Windows and Linux VMs
File Storage	Yes	Yes	Customer-managed keys for Azure Storage encryption
File Sync	Yes	Yes	Customer-managed keys for Azure Storage encryption
Managed Disk Storage	Yes	Yes	Azure Disk Encryption for Windows and Linux VMs
Premium Blob Storage	Yes	Yes	Customer-managed keys for Azure Storage encryption
Queue Storage	Yes	Yes	Customer-managed keys for Azure Storage encryption
StorSimple	Yes		Azure StorSimple security features
Ultra Disk Storage	Yes	Yes	Azure Disk Encryption for Windows and Linux VMs

Other

Product, Feature, or Service	Key Vault	Managed HSM	Documentation
Universal Print	Yes		Data encryption in Universal Print

Caveats

* This service supports storing data in your own Key Vault, Storage Account, or other data persisting service that already supports Server-Side Encryption with Customer-Managed Key.

** Any transient data stored temporarily on disk such as pagefiles or swap files are encrypted with a Microsoft key (all tiers) or a customer-managed key (using the Enterprise and Enterprise Flash tiers). For more information, see Configure disk encryption in Azure Cache for Redis.

Related content

• Data encryption models in Microsoft Azure
• How encryption is used in Azure
• Double encryption