-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure resources should support customer-managed key for encryption at rest #4002
Comments
We have a couple of options where to host the keys.
I tend to lean towards option 3 because it opens up options for customers that are using Managed HSM? The is the Landing Zone Guidance, it implies a KeyVault per application. |
I think we need to allow for managed HSM. Could the KeyVault ID be configurable, defaulting to one in the management RG? |
Agreed, this would also lean us towards option 3. Only downside is that I am not sure terraform for Managed HSM keys and Key Vault Keys are the same, need to investigate. |
I have not had a requirement to support HSM, so perhaps that might not need to considered until someone needs it? There will need to be keys in the core for core VMs and storage, etc. For the workspaces, the keys should be in the workspace. I am not sure if there's a need for a new Key Vault. CMK isn't a new application/workload. The workload, IMO, is the workspace. |
We have a customer that needs this with managed HSM. :) |
Description
As a TRE Administrator
I want to deploy TRE in a manner compliant with common regulatory frameworks, like NIST SP 800-171 R2 and Microsoft's built-in compliance initiatives for those frameworks
So that research takes place in a compliant environment
Acceptance criteria
enable_cmk_encryption
option to the CI #4148The text was updated successfully, but these errors were encountered: