# Customer Managed Encryption Keys with Azure Key Management Service

To use Customer Managed Encryption Keys (CMEK) with Azure Key Management Service (KMS) in SingleStore, follow these steps:

1. **Create a Customer-Managed Key**

   * Navigate to the Azure portal and go to the **Key Vault** section.
   * Create a new key vault if you do not have one already.
   * Within the key vault, create a new key.
   * Specify the key's details, including key type, algorithm, and key size.
   * Assign appropriate labels to the key for easy identification.
   * Define the key’s administrative permissions. Assign a user or role that will manage the lifecycle of this key, typically an administrative role within your Azure account.

2. **Give Permission to SingleStore Azure Account**

   * Grant the SingleStore Azure account permission to use the customer-managed keys. This enables the SingleStore Azure accounts to use the key/key vault through the multi-tenant application using the user-assigned managed identity.

3. **Configure Cross-Tenant Application**

   * Create and configure the cross-tenant application with federated credentials using the user-assigned managed identity.
   * Authenticate the application in the customer account.
   * Provide the necessary permissions to the application for the key vault.

4. **Set Up in Storage Account**

   * Configure the storage account to use the URL of the key with the application, and set the user-assigned managed identity.
   * Ensure encryption configuration is applied to the storage account.

5. **Set Up in Volume**

   * Create a disk encryption set with the user-assigned managed identity within the Azure Kubernetes Service (AKS) resource group.
   * Configure the disk encryption set to the relevant storage class parameter.

6. **Automate Configuration**

   * Utilize the `cloudstorage` package to perform actions related to Azure. All actions will primarily be performed by the application `managed-buckets-azure`.
   * Automate the encryption for storage accounts and volumes when creating workspace groups

Here are some specifics for the Azure configuration and setup:

* You need to have a user-assigned managed identity in the resource group.
* The key vault must be in the same region as the disk encryption set.
* Grant roles such as **Managed Identity Contributor** and **Managed Identity Operator** to ensure appropriate permissions.

Ensure that you follow proper validation methods and handle errors related to permissions and region conflicts. Regularly review access logs and permissions to maintain security and compliance.

***

Modified at: May 11, 2026

Source: [/cloud/security/encryption/customer-managed-encryption-keys/customer-managed-encryption-keys-with-azure-key-management-service/](https://docs.singlestore.com/cloud/security/encryption/customer-managed-encryption-keys/customer-managed-encryption-keys-with-azure-key-management-service/)

(An index of the documentation is available at /llms.txt)
