This documentation is for the most recent version of Anthos clusters on Azure, released on November 3rd. See the Release notes for more information.
Stay organized with collections Save and categorize content based on your preferences.

Bring your own key from a hardware security module

This topic explains how you can use your own Azure Key Vault hardware security module (HSM) key for at-rest encryption on Anthos clusters on Azure.

Before you begin

To perform these steps, you should be familiar with the Security architecture of Anthos clusters on Azure.

To perform these steps, you must have the following:

Bring your own key

To bring your own key, perform the following steps:

  1. Save your Azure Key Vault key ID into an environment variable.

    export KEY_VAULT_ID="$(az keyvault show --name ${KEY_VAULT_NAME} \
        --resource-group ${RESOURCE_GROUP} --query id -otsv)"
    export KEY_VAULT_KEY_ID="${KEY_VAULT_ID}/keys/${KEY_NAME}"
    
  2. Pass the key's IDs in the --config-encryption-key-id parameter when you Create a cluster.

    gcloud container azure clusters create CLUSTER_NAME \
        --config-encryption-key-id  ${KEY_VAULT_KEY_ID} \
        ...
    
  3. Continue with the steps in Create a cluster.

What's next

See About keys in the Azure documentation.