Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure resources should support customer-managed key for encryption at rest #4002

Open
5 of 8 tasks
SvenAelterman opened this issue Jun 23, 2024 · 5 comments
Open
5 of 8 tasks

Azure resources should support customer-managed key for encryption at rest #4002

SvenAelterman opened this issue Jun 23, 2024 · 5 comments
Assignees
@yuvalyaron
Labels
feature story Stories are the smallest unit of work to be done for a project.

Comments

@SvenAelterman
Copy link
Collaborator

SvenAelterman commented Jun 23, 2024
edited by yuvalyaron
Loading

Description

As a TRE Administrator
I want to deploy TRE in a manner compliant with common regulatory frameworks, like NIST SP 800-171 R2 and Microsoft's built-in compliance initiatives for those frameworks
So that research takes place in a compliant environment

Acceptance criteria
@SvenAelterman SvenAelterman added the story Stories are the smallest unit of work to be done for a project. label Jun 23, 2024
@fortunkam
Copy link

We have a couple of options where to host the keys.

  1. Use the KeyVault deployed as part of the Instance?
  2. Add a new KeyVault (plus managed identity for rotation) to the instance resource group dedicated for keys
  3. Add a new KeyVault (plus managed identity for rotation) to the management resource group dedicated for keys

I tend to lean towards option 3 because it opens up options for customers that are using Managed HSM?

The is the Landing Zone Guidance, it implies a KeyVault per application.

@marrobi
Copy link
Member

marrobi commented Sep 6, 2024

I think we need to allow for managed HSM. Could the KeyVault ID be configurable, defaulting to one in the management RG?

@fortunkam
Copy link

Agreed, this would also lean us towards option 3. Only downside is that I am not sure terraform for Managed HSM keys and Key Vault Keys are the same, need to investigate.

@SvenAelterman
Copy link
Collaborator Author

I have not had a requirement to support HSM, so perhaps that might not need to considered until someone needs it?

There will need to be keys in the core for core VMs and storage, etc. For the workspaces, the keys should be in the workspace.

I am not sure if there's a need for a new Key Vault. CMK isn't a new application/workload. The workload, IMO, is the workspace.

@marrobi
Copy link
Member

marrobi commented Sep 12, 2024

We have a customer that needs this with managed HSM. :)

@marrobi marrobi mentioned this issue Nov 13, 2024
Closed
2 tasks
@marrobi marrobi moved this to In Progress in Azure TRE - Engineering Nov 13, 2024
This was referenced Nov 19, 2024
Merged
Closed
@yuvalyaron yuvalyaron mentioned this issue Nov 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuvalyaron yuvalyaron

Labels
feature story Stories are the smallest unit of work to be done for a project.
Projects
Azure TRE - Engineering
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fortunkam @marrobi @SvenAelterman @yuvalyaron