Customer Managed Keys for Encryption at Rest

Richard Cheney • 05 May 2026

A new set of content on Azure Citadel covering Customer Managed Keys (CMK) for encryption at rest — the first phase in a series that will also cover confidential compute.

Overview

I am pleased to launch the new Customer Managed Keys area on Azure Citadel.

Controlling your encryption keys is one of the most tangible ways to demonstrate data sovereignty on Azure, and it is a topic that comes up repeatedly with partners working in regulated industries and the public sector.

This first release covers L2 encryption at rest — using your own keys in Azure Key Vault to protect stored data across common Azure services. If you are working with customers who have sovereignty requirements beyond simple data residency, this is for you.

What’s included

The content is structured as a series:

Sovereignty scenarios - a quick primer on L1/L2/L3 levels and how they map to sovereign landing zone management groups
Key management options - choosing between Azure Key Vault Standard, Premium, and Managed HSM
L2: Encryption at rest with CMK - the integration pattern for Azure Storage, Managed Disks, VMs, and AKS
Hands-on labs covering Azure Key Vault Premium, Storage, and Managed Disks

The common pattern is fairly consistent across most services: create a key, enable a managed identity on the resource, grant wrap/unwrap permissions, and point the resource at the key URI.

Encrypting your Azure Managed Disks is slightly different as you also have the Disk Encryption Sets as an abstraction layer which has operational benefits for use at scale and for key rotation processes.

Why we use Key Vault Premium for these labs

We intentionally use Key Vault Premium in these labs. You will see the reason stated a couple of times through the pages, but it is worth adding it in here to help you avoid unwanted cost on your Azure bill.

Managed HSM would be the production-grade choice for dedicated HSM isolation, but can become dangerously expensive. It runs to thousand USD per month for a minimum cluster.

💀 Deleted Managed HSMs are chargeable until permanently purged after the retention period.

The current usage fee per HSM pool is $3.20 per hour. ($76.80 per day, or $2,336 per Azure month of 730 hours.)
A Managed HSM has enforced soft delete and purge protection for customer managed key scenarios.
A deleted Managed HSM would charge an additional $6,912 over the default retention period of 90 days.
You may specify a shorter retention period at creation time.
Retention times are immutable properties and cannot be changed.
The minimum retention period is 7 days which equates to $537.60.

Key Vault Premium replicates the experience closely enough: same API, same SKR flow, same CMK integration patterns across Azure services. Where a real Managed HSM deployment would differ (security domain, HSM RBAC, backup/recovery), we highlight it in each lab.

Key Vault Premium does not have a fixed charge itself. It charges purely for the keys and their operations. The HSM backed keys are a little more expensive, but in practice the cost for lab exercises is relatively small.

Note that Azure Key Vault Standard does not support Secure Key Release which is required for the Confidential Compute labs.

References

What’s next

Future phases will extend the CMK series to cover L3 confidential compute, i.e., protecting data while it is in use, not just while it is stored. That will cover:

Azure Confidential Computing with AMD SEV-SNP and Intel SGX
Secure Key Release (SKR) for bridging CMK and trusted execution environments
Platform-level and application-level confidential compute scenarios

If you have questions or feedback then raise them in the GitHub discussions for the site.

Table of Contents