Bring your own key (customer-managed keys) (2024)

Table of Contents
In this article Keys and key management Double encryption Tutorials Get help and support
  • Article

Bring your own key (customer-managed keys) (1)

Bring Your Own Key (BYOK) is an Azure wide initiative to help customers move their workloads to the cloud. Customer managed keys allow customers to adhere to industry compliance regulations and improves tenant isolation of a service. Giving customers control of encryption keys is a way to minimize unnecessary access and control and build confidence in Microsoft services.

Keys and key management

You can use your own key with Media Services when you use the Media Services 2020-05-01 or later API. A default account key is created for all accounts which is encrypted by a system key owned by Media Services. When you use your own key, the account key is encrypted with your key. Content keys are encrypted by the account key. JobInputHttp urls and symmetric token validation keys are also encrypted.

Bring your own key (customer-managed keys) (2)

Media Services uses the Managed Identity of the Media Services account to read your key from a Key Vault owned by you. Media Services requires that the Key Vault is in the same region as the account, and that it has soft-delete and purge protection enabled.

Your key can be a 2048, 3072, or a 4096 RSA key, and both HSM and software keys are supported.

Note

EC keys are not supported.

You can specify a key name and key version, or just a key name. When you use only a key name, Media Services will use the latest key version. New versions of customer keys are automatically detected, and the account key is re-encrypted.

Warning

Media Services monitors access to the customer key. If the customer key becomes inaccessible (for example, the key has been deleted or the Key Vault has been deleted or the access grant has been removed), Media Services will transition the account to the Customer Key Inaccessible State (effectively disabling the account). However, the account can be deleted in this state. The only supported operations are account GET, LIST and DELETE; all other requests (encoding, streaming, and so on) will fail until access to the account key is restored.

Double encryption

Media Services automatically supports double encryption. For data at rest, the first layer of encryption uses a customer-managed key or a Microsoft managed key depending on the AccountEncryption setting on the account. The second layer of encryption for data at rest is provided automatically using a separate Microsoft managed key. To learn more about double encryption, see Azure double encryption.

Note

Double encryption is enabled automatically on the Media Services account. However, you need to configure the customer-managed key and double encryption on your storage account separately. To learn more, see Storage encryption.

Tutorials

Get help and support

You can contact Media Services with questions or follow our updates by one of the following methods:

Bring your own key (customer-managed keys) (2024)
Top Articles
How to Implement Vertical Scrolling in React Using react-router-hash-link
10 Most Popular And Best React Ui Frameworks To Build Modern Applications
SZA: Weinen und töten und alles dazwischen
Matgyn
Uca Cheerleading Nationals 2023
Promotional Code For Spades Royale
Craftsman M230 Lawn Mower Oil Change
Southside Grill Schuylkill Haven Pa
Tap Tap Run Coupon Codes
Green Bay Press Gazette Obituary
Large storage units
Miami Valley Hospital Central Scheduling
Jasmine Put A Ring On It Age
2016 Hyundai Sonata Price, Value, Depreciation & Reviews | Kelley Blue Book
Alaska: Lockruf der Wildnis
Premier Reward Token Rs3
A rough Sunday for some of the NFL's best teams in 2023 led to the three biggest upsets: Analysis - NFL
Craigslist Farm And Garden Tallahassee Florida
Palm Coast Permits Online
Sonic Fan Games Hq
Webcentral Cuny
NBA 2k23 MyTEAM guide: Every Trophy Case Agenda for all 30 teams
Bing Chilling Words Romanized
Site : Storagealamogordo.com Easy Call
Drago Funeral Home & Cremation Services Obituaries
Google Doodle Baseball 76
Little Caesars 92Nd And Pecos
Noaa Duluth Mn
Nsa Panama City Mwr
Hampton University Ministers Conference Registration
Ceramic tiles vs vitrified tiles: Which one should you choose? - Building And Interiors
Walgreens On Bingle And Long Point
CVS Health’s MinuteClinic Introduces New Virtual Care Offering
Giantbodybuilder.com
Santa Barbara Craigs List
Worthington Industries Red Jacket
Darktide Terrifying Barrage
140000 Kilometers To Miles
The Wichita Beacon from Wichita, Kansas
Case Funeral Home Obituaries
Michael Jordan: A timeline of the NBA legend
Guy Ritchie's The Covenant Showtimes Near Grand Theatres - Bismarck
Saline Inmate Roster
Tattoo Shops In Ocean City Nj
Doublelist Paducah Ky
What is 'Breaking Bad' star Aaron Paul's Net Worth?
CrossFit 101
Erica Mena Net Worth Forbes
Vcuapi
Turning Obsidian into My Perfect Writing App – The Sweet Setup
Famous Dave's BBQ Catering, BBQ Catering Packages, Handcrafted Catering, Famous Dave's | Famous Dave's BBQ Restaurant
Latest Posts
41.7. Rules Versus Triggers
$7.6bn of ‘stablecoin’ tether redeemed since start of crypto crisis
Article information

Author: Laurine Ryan

Last Updated:

Views: 5848

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.