Bring your own key from a hardware security module
This topic explains how you can use your own Azure Key Vault hardware security module (HSM) key for at-rest encryption on GKE on Azure.
Before you begin
To perform these steps, you should be familiar with the Security architecture of GKE on Azure.
To perform these steps, you must have the following:
An Azure Key Vault with the Azure role-based access control permission model.
Your GKE on Azure service principal with permissions to manage the Azure Key Vault authorization and encrypt data with the provided key.
The easiest way to grant these permissions is to assign the
Key Vault Crypto Officer
andUser Access Administrator
Azure built-in roles to the service principal.
Bring your own key
To bring your own key, perform the following steps:
Save your Azure Key Vault key ID into an environment variable.
export KEY_VAULT_ID="$(az keyvault show --name ${KEY_VAULT_NAME} \ --resource-group ${RESOURCE_GROUP} --query id -otsv)" export KEY_VAULT_KEY_ID="${KEY_VAULT_ID}/keys/${KEY_NAME}"
Pass the key's IDs in the
--config-encryption-key-id
parameter when you Create a cluster.gcloud container azure clusters create CLUSTER_NAME \ --config-encryption-key-id ${KEY_VAULT_KEY_ID} \ ...
Continue with the steps in Create a cluster.
What's next
See About keys in the Azure documentation.