This documentation is for the most recent version of GKE on Azure, released in November 2021. See the Release notes for more information.

Bring your own key from a hardware security module

This topic explains how you can use your own Azure Key Vault hardware security module (HSM) key for at-rest encryption on GKE on Azure.

Before you begin

To perform these steps, you should be familiar with the Security architecture of GKE on Azure.

To perform these steps, you must have the following:

An Azure-supported HSM
An Azure Key Vault with the Azure role-based access control permission model.
An HSM-protected key imported into Azure Key Vault
Your GKE on Azure service principal with permissions to manage the Azure Key Vault authorization and encrypt data with the provided key.

The easiest way to grant these permissions is to assign the Key Vault Crypto Officer and User Access Administrator Azure built-in roles to the service principal.

Bring your own key

To bring your own key, perform the following steps:

Save your Azure Key Vault key ID into an environment variable.

export KEY_VAULT_ID="$(az keyvault show --name ${KEY_VAULT_NAME} \
    --resource-group ${RESOURCE_GROUP} --query id -otsv)"
export KEY_VAULT_KEY_ID="${KEY_VAULT_ID}/keys/${KEY_NAME}"

Pass the key's IDs in the --config-encryption-key-id parameter when you Create a cluster.

gcloud container azure clusters create CLUSTER_NAME \
    --config-encryption-key-id  ${KEY_VAULT_KEY_ID} \
    ...

Continue with the steps in Create a cluster.

What's next

See About keys in the Azure documentation.