Skip to content

Commit 89d1051

Browse files
cynthncynthn
committed
fixing weird diff
1 parent afba9fb commit 89d1051

2 files changed

Lines changed: 241 additions & 241 deletions

File tree

articles/confidential-computing/key-rotation-offline.md

Lines changed: 43 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -1,43 +1,43 @@
1-
---
2-
title: Rotate customer-managed keys for Azure confidential virtual machines
3-
description: Learn how to rotate customer-managed keys for confidential virtual machines (confidential VMs) in Azure.
4-
author: prasadmsft
5-
ms.author: reprasa
6-
ms.service: azure-confidential-computing
7-
ms.topic: how-to
8-
ms.date: 07/06/2022
9-
ms.custom: template-how-to
10-
# Customer intent: As a cloud security administrator, I want to rotate customer-managed keys for confidential virtual machines, so that I can maintain security best practices and ensure that compromised keys are replaced promptly.
11-
---
12-
13-
# Rotate customer-managed keys for confidential VMs
14-
15-
Confidential virtual machines (confidential VMs) in Azure supports customer-managed keys. Customer-managed keys help confidential VMs and associated artifacts work properly. You can manage these keys in Azure Key Vault or through a managed Hardware Security Module (managed HSM). This article focuses on managing the keys through a managed HSM, unless stated otherwise.
16-
17-
If you want to use a customer-managed key, you must supply a Disk Encryption Set resource when you create your confidential VM. The Disk Encryption Set must reference the customer-managed key. Typically, you might associate a single Disk Encryption Set with multiple confidential VMs.
18-
It's recommended that you periodically rotate a customer-managed key as a security best practice. The frequency of rotation is an organizational policy decision. Rotation is also necessary if a customer-managed key is compromised.
19-
20-
## Change customer-managed key
21-
22-
You can change the key that you're using for confidential VMs at any time. To rotate a customer-managed key:
23-
24-
1. Sign in to the [Azure portal](https://portal.azure.com).
25-
1. Go to the **Virtual Machines** service.
26-
1. Stop all confidential VMs with the same Disk Encryption Set. If one or more VMs isn't in the stopped state, then none of the VMs can receive the new key.
27-
1. Go to the **Disk Encryption Sets** service.
28-
1. Select the Disk Encryption Set resource that's associated with your confidential VM.
29-
1. On the resource's menu, under **Settings**, select **Key**.
30-
1. Select **Change key**.
31-
1. Select the appropriate key vault, key and version.
32-
1. Save your changes. The save operation updates the key for all confidential VM artifacts.
33-
34-
## Retry key rotation
35-
36-
In rare cases, the customer-managed key might not be rotated for all confidential VMs, even when all the VMs were stopped. If the customer-managed key isn't rotated, the Disk Encryption Set resource still contains a reference to the old key. In this state, some confidential VMs can have the new key and some can have the old key.
37-
38-
To resolve this issue, repeat the steps to [update the Disk Encryption Set](#change-customer-managed-key).
39-
40-
## Limitations
41-
42-
- Automatic key rotation isn't currently supported for confidential VMs.
43-
- Key rotation isn't supported for ephemeral disks. It's recommended to have a separate Disk Encryption Set for confidential VMs with an ephemeral disk. If confidential VMs with ephemeral and non-ephemeral disks share the same Disk Encryption Set, you must delete the confidential VMs with ephemeral disks before you rotate the keys for the confidential VMs with non-ephemeral disks.
1+
---
2+
title: Rotate customer-managed keys for Azure confidential virtual machines
3+
description: Learn how to rotate customer-managed keys for confidential virtual machines (confidential VMs) in Azure.
4+
author: prasadmsft
5+
ms.author: reprasa
6+
ms.service: azure-confidential-computing
7+
ms.topic: how-to
8+
ms.date: 07/06/2022
9+
ms.custom: template-how-to
10+
# Customer intent: As a cloud security administrator, I want to rotate customer-managed keys for confidential virtual machines, so that I can maintain security best practices and ensure that compromised keys are replaced promptly.
11+
---
12+
13+
# Rotate customer-managed keys for confidential VMs
14+
15+
Confidential virtual machines (confidential VMs) in Azure supports customer-managed keys. Customer-managed keys help confidential VMs and associated artifacts work properly. You can manage these keys in Azure Key Vault or through a managed Hardware Security Module (managed HSM). This article focuses on managing the keys through a managed HSM, unless stated otherwise.
16+
17+
If you want to use a customer-managed key, you must supply a Disk Encryption Set resource when you create your confidential VM. The Disk Encryption Set must reference the customer-managed key. Typically, you might associate a single Disk Encryption Set with multiple confidential VMs.
18+
It's recommended that you periodically rotate a customer-managed key as a security best practice. The frequency of rotation is an organizational policy decision. Rotation is also necessary if a customer-managed key is compromised.
19+
20+
## Change customer-managed key
21+
22+
You can change the key that you're using for confidential VMs at any time. To rotate a customer-managed key:
23+
24+
1. Sign in to the [Azure portal](https://portal.azure.com).
25+
1. Go to the **Virtual Machines** service.
26+
1. Stop all confidential VMs with the same Disk Encryption Set. If one or more VMs isn't in the stopped state, then none of the VMs can receive the new key.
27+
1. Go to the **Disk Encryption Sets** service.
28+
1. Select the Disk Encryption Set resource that's associated with your confidential VM.
29+
1. On the resource's menu, under **Settings**, select **Key**.
30+
1. Select **Change key**.
31+
1. Select the appropriate key vault, key and version.
32+
1. Save your changes. The save operation updates the key for all confidential VM artifacts.
33+
34+
## Retry key rotation
35+
36+
In rare cases, the customer-managed key might not be rotated for all confidential VMs, even when all the VMs were stopped. If the customer-managed key isn't rotated, the Disk Encryption Set resource still contains a reference to the old key. In this state, some confidential VMs can have the new key and some can have the old key.
37+
38+
To resolve this issue, repeat the steps to [update the Disk Encryption Set](#change-customer-managed-key).
39+
40+
## Limitations
41+
42+
- Automatic key rotation isn't currently supported for confidential VMs.
43+
- Key rotation isn't supported for ephemeral disks. It's recommended to have a separate Disk Encryption Set for confidential VMs with an ephemeral disk. If confidential VMs with ephemeral and non-ephemeral disks share the same Disk Encryption Set, you must delete the confidential VMs with ephemeral disks before you rotate the keys for the confidential VMs with non-ephemeral disks.

0 commit comments

Comments
 (0)