https://www.azurecitadel.com/cmk/ Recent content in Customer Managed Keys on Azure Citadel Hugo -- gohugo.io en-gb https://www.azurecitadel.com/cmk/sovereignty/ Fri, 06 Mar 2026 00:00:00 +0000 https://www.azurecitadel.com/cmk/sovereignty/ Applying sovereignty requirements to workloads Digital Sovereignty considerations are usually split into data sovereignty, operational sovereignty and AI sovereignty. From an architectural perspective this is largely a workload conversation and reinforces the idea that seeing a customer’s estate through an additional sovereignty lens introduces another set of concerns, risks, controls, and compliancy requirements that we need to consider in our decision making and recommendations. Some requirements will apply to the whole environment, and some will be applicable to specific workloads. https://www.azurecitadel.com/cmk/keyvaults/ Fri, 06 Mar 2026 00:00:00 +0000 https://www.azurecitadel.com/cmk/keyvaults/ Introduction Azure gives you many key management options. Here we will cover three of them: Azure Key Vault Standard and Premium, plus Azure Ket Vault Managed HSM. They share a common API surface but differ significantly in how keys are protected and who ultimately controls them. Choosing the right one has direct implications for your compliance and sovereignty posture. Quick guidance Azure Key Vault Standard — good for dev/test and low-sensitivity workloads: secrets, certs, software-protected keys. https://www.azurecitadel.com/cmk/lab-akvp/ Fri, 06 Mar 2026 00:00:00 +0000 https://www.azurecitadel.com/cmk/lab-akvp/ Objectives By the end of this lab you will have: Determined a sensible Azure region for these labs. Created a resource group. Created an Azure Key Vault Premium and assigned yourself the Key Vault Crypto Officer role. There is also some additional information on this page about securing vaults and some of the key differences in creating, activating and managing a Managed HSM instead. Access The labs assume you are either Owner or have Contributor plus Role Based Access Control Administrator on an Azure subscription as they create resources and RBAC role assignments. https://www.azurecitadel.com/cmk/at-rest/ Fri, 06 Mar 2026 00:00:00 +0000 https://www.azurecitadel.com/cmk/at-rest/ Introduction This page covers encryption at rest — protecting stored data so that it cannot be read without access to your key. Each Azure service that supports customer-managed keys wraps its own internal data encryption keys using your CMK in Key Vault. If your key is unavailable, the service cannot decrypt the data. Encryption in use — protecting data while it is being processed, using Azure Confidential Compute — is a separate topic covered later in this series. https://www.azurecitadel.com/cmk/lab-storage/ Fri, 06 Mar 2026 00:00:00 +0000 https://www.azurecitadel.com/cmk/lab-storage/ Objectives By the end of this lab you will have: Created an RSA-HSM key in the Azure Key Vault Premium. Created a storage account encrypted with that customer-managed key. Verified that the encryption is in place and points at your key. You will need to have completed the Azure Key Vault Premium lab. Set up variables If you are continuing straight from the previous lab then you should already have these set. https://www.azurecitadel.com/cmk/lab-disks/ Fri, 06 Mar 2026 00:00:00 +0000 https://www.azurecitadel.com/cmk/lab-disks/ Objectives By the end of this lab you will have: Created a Disk Encryption Set (DES) tied to an HSM-backed key in Azure Key Vault Premium. Deployed a small test network Deployed a VM with its OS disk encrypted via the DES. Created an AKS cluster with node OS disk encryption using the same DES. We will reuse the Azure Key Vault Premium created in the first lab. Note that in a real world scenario you would probably use different keys for the virtual machines and the AKS nodes as per the guidance on the Encrypting data at rest with CMK page.