Sign inTry Free

Customer Managed Encryption Keys with Azure Key Management Service

To use Customer Managed Encryption Keys (CMEK) with Azure Key Management Service (KMS) in SingleStore, follow these steps:

  1. Create a Customer-Managed Key

    • Navigate to the Azure portal and go to the Key Vault section.

    • Create a new key vault if you do not have one already.

    • Within the key vault, create a new key.

    • Specify the key's details, including key type, algorithm, and key size.

    • Assign appropriate labels to the key for easy identification.

    • Define the key’s administrative permissions. Assign a user or role that will manage the lifecycle of this key, typically an administrative role within your Azure account.

  2. Give Permission to SingleStore Azure Account

    • Grant the SingleStore Azure account permission to use the customer-managed keys. This enables the SingleStore Azure accounts to use the key/key vault through the multi-tenant application using the user-assigned managed identity.

  3. Configure Cross-Tenant Application

    • Create and configure the cross-tenant application with federated credentials using the user-assigned managed identity.

    • Authenticate the application in the customer account.

    • Provide the necessary permissions to the application for the key vault.

  4. Set Up in Storage Account

    • Configure the storage account to use the URL of the key with the application, and set the user-assigned managed identity.

    • Ensure encryption configuration is applied to the storage account.

  5. Set Up in Volume

    • Create a disk encryption set with the user-assigned managed identity within the Azure Kubernetes Service (AKS) resource group.

    • Configure the disk encryption set to the relevant storage class parameter.

  6. Automate Configuration

    • Utilize the cloudstorage package to perform actions related to Azure. All actions will primarily be performed by the application managed-buckets-azure.

    • Automate the encryption for storage accounts and volumes when creating workspace groups

Here are some specifics for the Azure configuration and setup:

  • You need to have a user-assigned managed identity in the resource group.

  • The key vault must be in the same region as the disk encryption set.

  • Grant roles such as Managed Identity Contributor and Managed Identity Operator to ensure appropriate permissions.

Ensure that you follow proper validation methods and handle errors related to permissions and region conflicts. Regularly review access logs and permissions to maintain security and compliance.

Last modified: April 14, 2025

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK