| title | Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM |
|---|---|
| description | Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM |
| author | msmbaldwin |
| ms.author | mbaldwin |
| ms.date | 04/02/2026 |
| ms.service | security |
| ms.subservice | security-fundamentals |
| ms.topic | article |
Customer-managed keys (CMK) is a key management control model in which you own and manage the key encryption key (KEK) in your own Azure Key Vault or Azure Managed HSM instance. Azure services use your KEK to wrap and unwrap their data encryption keys through envelope encryption. For HSM-protected keys, use Azure Key Vault Premium tier or Azure Managed HSM.
The following services support server-side encryption with customer managed keys. For implementation details, see the service-specific documentation or the service's Microsoft Cloud Security Benchmark: security baseline (section DP-5).
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure AI Search | Yes | Yes | Configure customer-managed keys for data encryption in Azure AI Search | | Foundry Tools | Yes | Yes | Customer-managed keys for encryption | | Microsoft Foundry | Yes | | Encryption of data at rest in Foundry Tools | | Content Safety in Foundry Control Plane | Yes | | Encryption of data at rest in Content Safety | | Azure Document Intelligence in Foundry Tools | Yes | | Document Intelligence encryption of data at rest | | Azure Language in Foundry Tools | Yes | | Language encryption of data at rest | | Azure Bot Service | Yes | | Encryption of bot data in Azure Bot Service | | Azure Health Bot | Yes | | Configure customer-managed keys (CMK) for Azure Health Bot | | Azure Machine Learning | Yes | | Customer-managed keys for workspace encryption in Azure Machine Learning | | Azure OpenAI | Yes | Yes | Azure OpenAI Service encryption of data at rest | | Content Moderator | Yes | Yes | Content Moderator encryption of data at rest | | Dataverse | Yes | Yes | Customer-managed keys in Dataverse | | Dynamics 365 | Yes | Yes | Customer-managed keys for encryption | | Azure AI Face | Yes | Yes | Face service encryption of data at rest | | Personalizer | Yes | Yes | Encryption of data at rest in Personalizer | | Power Platform | Yes | Yes | Customer-managed keys in Power Platform | | Custom question answering | Yes | | Custom question answering encryption of data at rest | | Azure Speech in Foundry Tools | Yes | Yes | Speech service encryption of data at rest | | Azure Translator in Foundry Tools Text | Yes | Yes | Translator encryption of data at rest |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Data Explorer | Yes | | Configure customer-managed keys (CMK) in Azure Data Explorer | | Azure Data Factory | Yes | Yes | Encryption with customer-managed keys for Azure Data Factory | | Azure Data Lake Store | Yes (RSA 2048-bit) | | | | Azure Data Manager for Energy | Yes | Yes | Manage data security and encryption | | Azure Databricks | Yes | Yes | Customer-managed keys for managed services | | Azure HDInsight | Yes | | Azure HDInsight double encryption for data at rest | | Azure Monitor Application Insights | Yes | | Customer-managed keys in Azure Monitor | | Azure Monitor Log Analytics | Yes | Yes | Customer-managed keys in Azure Monitor | | Azure Stream Analytics | Yes* | Yes | Data protection in Azure Stream Analytics | | Azure Synapse Analytics | Yes (RSA 3072-bit) | Yes | Configure encryption at rest with customer-managed keys | | Microsoft Fabric | Yes | Yes | Customer-managed key (CMK) encryption and Microsoft Fabric | | Power BI Embedded | Yes | | Using your own key for Power BI encryption (Preview) |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Kubernetes Service | Yes | Yes | Enable host encryption on your AKS cluster nodes | | Azure Red Hat OpenShift | Yes | | Bring your own keys (BYOK) with Azure Red Hat OpenShift | | Container Instances | Yes | | Encrypt data with a customer-managed key | | Container Registry | Yes | | Encrypt container images with a customer-managed key |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | App Service | Yes* | Yes | Configure customer-managed keys for App Service | | Azure Functions | Yes* | Yes | Configure customer-managed keys for Azure Functions | | Azure HPC Cache | Yes | | Use customer-managed keys with HPC Cache | | Azure Load Testing | Yes | | Configure customer-managed keys for Azure Load Testing | | Azure Managed Applications | Yes* | Yes | Azure managed applications overview | | Azure portal | Yes* | Yes | Security in the Azure portal | | Azure VMware Solution | Yes | Yes | Configure customer-managed keys in Azure VMware Solution | | Batch | Yes | | Use customer-managed keys with Batch accounts | | SAP HANA | Yes | | | | Site Recovery | Yes | | Enable replication with customer-managed keys | | Virtual Machine Scale Set | Yes | Yes | Overview of managed disk encryption options | | Virtual Machines | Yes | Yes | Overview of managed disk encryption options |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Cosmos DB | Yes | Yes | Configure customer-managed keys using Azure Key Vault, Configure customer-managed keys using Azure Key Vault Managed HSM | | Azure Cosmos DB for MongoDB vCore | Yes | | Configure customer-managed keys for Azure Cosmos DB for MongoDB vCore | | Azure Database for MySQL - Flexible Server | Yes | Yes | Data encryption with customer-managed keys in Azure Database for MySQL - Flexible Server | | Azure Database for PostgreSQL - Flexible Server | Yes | Yes | Data encryption with customer-managed keys in Azure Database for PostgreSQL - Flexible Server | | Azure Managed Instance for Apache Cassandra | Yes | | Configure customer-managed keys for encryption | | Azure SQL Database | Yes (RSA 3072-bit) | Yes | Bring your own key (BYOK) support for Transparent Data Encryption (TDE) | | Azure SQL Managed Instance | Yes (RSA 3072-bit) | Yes | Bring your own key (BYOK) support for Transparent Data Encryption (TDE) | | SQL Server on Azure VM | Yes | | Configure Azure Key Vault integration for SQL Server on Azure VMs | | SQL Server on Virtual Machines | Yes | | Transparent data encryption for SQL Server on Azure VM | | SQL Server Stretch Database | Yes (RSA 3072-bit) | | | | Table Storage | Yes | Yes | Customer-managed keys for Azure Storage encryption |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Stack Edge | Yes | | Protect data at rest on Azure Stack Edge Pro R |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Fluid Relay | Yes | Yes | Customer-managed keys for Azure Fluid Relay | | Azure Health Data Services | Yes | Yes | Configure customer-managed keys for Azure Health Data Services DICOM, Configure customer-managed keys for Azure Health Data Services FHIR | | Event Hubs | Yes | Yes | Configure customer-managed keys for encryption | | Logic Apps | Yes | | | | Service Bus | Yes | Yes | Configure customer-managed keys for encryption |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Device Update for IoT Hub | Yes | Yes | Data encryption for Device Update for IoT Hub | | IoT Hub Device Provisioning | Yes | | |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | App Configuration | Yes | | Use customer-managed keys to encrypt data | | Automation | Yes | | Encryption of automation assets | | Azure Chaos Studio | Yes | | Configure customer-managed keys for Azure Chaos Studio | | Azure Migrate | Yes | | Tutorial: Migrate VMware VMs to Azure | | Azure Monitor | Yes | Yes | Customer-managed keys in Azure Monitor |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Communication Services | Yes | | Data encryption in Azure Communication Services | | Media Services | Yes | | Use your own encryption keys with Azure Media Services |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Azure Information Protection | Yes | Yes | How are the Azure Rights Management cryptographic keys managed and secured? | | Microsoft Defender for Cloud | Yes | Yes | Customer-managed keys in Azure Monitor | | Microsoft Defender for IoT | Yes | | | | Microsoft Sentinel | Yes | Yes | Encryption at rest in Microsoft Sentinel |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Archive Storage | Yes | Yes | Customer-managed keys for Azure Storage encryption | | Azure Backup | Yes | Yes | Encrypt backup data using customer-managed keys | | Azure Cache for Redis | Yes** | Yes | Configure disk encryption for Azure Cache for Redis instances using customer managed keys | | Azure Data Box | Yes | | Use a customer-managed key to secure your Data Box | | Azure Elastic SAN | Yes | | Configure customer-managed keys for Azure Elastic SAN | | Azure Import/Export | Yes | | Use customer-managed keys for Azure Import/Export service | | Azure Managed Lustre | Yes | | Use customer-managed encryption keys with Azure Managed Lustre | | Azure NetApp Files | Yes | Yes | Configure customer-managed keys for Azure NetApp Files volume encryption | | Blob Storage | Yes | Yes | Customer-managed keys for Azure Storage encryption | | Data Lake Storage Gen2 | Yes | Yes | Customer-managed keys for Azure Storage encryption | | Disk Storage | Yes | Yes | Encryption at host for Windows and Linux VMs | | File Storage | Yes | Yes | Customer-managed keys for Azure Storage encryption | | File Sync | Yes | Yes | Customer-managed keys for Azure Storage encryption | | Managed Disk Storage | Yes | Yes | Encryption at host for Windows and Linux VMs | | Premium Blob Storage | Yes | Yes | Customer-managed keys for Azure Storage encryption | | Queue Storage | Yes | Yes | Customer-managed keys for Azure Storage encryption | | StorSimple | Yes | | Azure StorSimple security features | | Ultra Disk Storage | Yes | Yes | Encryption at host for Windows and Linux VMs |
| Product, feature, or service | Key Vault | Managed HSM | Documentation | |---|---|---|---|---| | Universal Print | Yes | Yes | Data encryption in Universal Print |
* This service supports storing data in your own Key Vault, Storage Account, or other data persisting service that already supports server-side encryption with customer-managed key.
** Any transient data stored temporarily on disk such as page files or swap files are encrypted with a Microsoft key (all tiers) or a customer-managed key (using the Enterprise and Enterprise Flash tiers). For more information, see Configure disk encryption in Azure Cache for Redis.