Bring your own key from a hardware security module

This topic explains how you can use your own Azure Key Vault hardware security module (HSM) key for at-rest encryption on GKE on Azure.

Before you begin

To perform these steps, you should be familiar with the Security architecture of GKE on Azure.

To perform these steps, you must have the following:

Bring your own key

To bring your own key, perform the following steps:

  1. Save your Azure Key Vault key ID into an environment variable.

    export KEY_VAULT_ID="$(az keyvault show --name ${KEY_VAULT_NAME} \
        --resource-group ${RESOURCE_GROUP} --query id -otsv)"
    export KEY_VAULT_KEY_ID="${KEY_VAULT_ID}/keys/${KEY_NAME}"
    
  2. Pass the key's IDs in the --config-encryption-key-id parameter when you Create a cluster.

    gcloud container azure clusters create CLUSTER_NAME \
        --config-encryption-key-id  ${KEY_VAULT_KEY_ID} \
        ...
    
  3. Continue with the steps in Create a cluster.

What's next

See About keys in the Azure documentation.