Data encryption for Azure Database for PostgreSQL Single server by using the Azure portal
APPLIES TO: 
Azure Database for PostgreSQL - Single Server
Important
Azure Database for PostgreSQL - Single Server is on the retirement path. We strongly recommend that you upgrade to Azure Database for PostgreSQL - Flexible Server. For more information about migrating to Azure Database for PostgreSQL - Flexible Server, see What's happening to Azure Database for PostgreSQL Single Server?.
Learn how to use the Azure portal to set up and manage data encryption for your Azure Database for PostgreSQL Single server.
Prerequisites for Azure CLI
You must have an Azure subscription and be an administrator on that subscription.
In Azure Key Vault, create a key vault and key to use for a customer-managed key.
The key vault must have the following properties to use as a customer-managed key:
-
az resource update --id $(az keyvault show --name \ <key_vault_name> -test -o tsv | awk '{print $1}') --set \ properties.enableSoftDelete=true -
az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enable-purge-protection true
-
The key must have the following attributes to use as a customer-managed key:
- No expiration date
- Not disabled
- Able to perform get, wrap key, and unwrap key operations
Set the right permissions for key operations
In Key Vault, select Access policies > Add Access Policy.
Select Key permissions, and select Get, Wrap, Unwrap, and the Principal, which is the name of the PostgreSQL server. If your server principal can't be found in the list of existing principals, you need to register it. You're prompted to register your server principal when you attempt to set up data encryption for the first time, and it fails.
Select Save.
Set data encryption for Azure Database for PostgreSQL Single server
In Azure Database for PostgreSQL, select Data encryption to set up the customer-managed key. Select Yes.
You can either select a key vault and key pair, or enter a key identifier.
Select Save.
To ensure all files (including temp files) are fully encrypted, restart the server.
Use Data encryption for restore or replica servers
After Azure Database for PostgreSQL Single server is encrypted with a customer's managed key stored in Key Vault, any newly created copy of the server is also encrypted. You can make this new copy either through a local or geo-restore operation, or through a replica (local/cross-region) operation. So for an encrypted PostgreSQL server, you can use the following steps to create an encrypted restored server.
On your server, select Overview > Restore.
Or for a replication-enabled server, under the Settings heading, select Replication.
After the restore operation is complete, the new server created is encrypted with the primary server's key. However, the features and options on the server are disabled, and the server is inaccessible. This prevents any data manipulation, because the new server's identity hasn't yet been given permission to access the key vault.
To make the server accessible, revalidate the key on the restored server. Select Data Encryption > Revalidate key.
Note
The first attempt to revalidate will fail, because the new server's service principal needs to be given access to the key vault. To generate the service principal, select Revalidate key, which will show an error but generates the service principal. Thereafter, refer to these steps earlier in this article.
You will have to give the key vault access to the new server. For more information, see Enable Azure RBAC permissions on Key Vault.
After registering the service principal, revalidate the key again, and the server resumes its normal functionality.