Reputation: 2812
End-to-end encryption with Azure CosmosDB vs Storage
We develop a cloud based SaaS solution suitable for multiple tenants. For very sensitive data, we need to isolate tenants and provide end-to-end encryption for users assigned to this tenant. Not even the operators of the SaaS solution provider should be able to decrypt the data.
Azure Storage
I see that i could use the client-side encryption feature along with Azure Key Value for Azure Storage to accomplish this, allowing every tenant to provide a separate Azure KeyVault account which manages the encryption keys.
Azure Cosmos DB
As Azure Cosmos DB provides superior features regarding scalability, we would like to use Cosmos over Azure Storage. However, i didn't find a comparable feature for Cosmos DB providing end-to-end encryption capabilitys. The only Cosmos DB encryption feature i found is encryption at rest.
So my question is:
Is there a comparable feature for Azure Cosmos DB i could use to achieve the same goal (end-to-end encryption)?
Upvotes: 0
Views: 2335
Answers (3)
Reputation: 2812
I've got an answer from the Azure Cosmos DB Team on Twitter
Cosmos DB currently only supports encryption at rest and in transit. BYOK scenarios are on their roadmap.
Update: The Feature is now generally available.
Upvotes: 2
Reputation: 147
In May 2020, Microsoft have made customer-managed-keys feature GA which means you can choose to add a second layer of encryption with keys you manage (customer-managed keys).
Note: This feature can be enabled only for New Azure Cosmos Accounts. Can't enable for existing accounts.
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
Upvotes: 2
Reputation: 23782
Is there a comparable feature for Azure Cosmos DB i could use to achieve the same goal (end-to-end encryption)?
Based on the encryption at rest, all user data stored in Cosmos DB is encrypted at rest and in transport, you don't have to take any action. But it is transparent for multi-tenants. So,if you want to implement end-to-end encryption which is similar to the Client-Side Encryption in Blob storage, you need to encapsulate your own encryption methods before the operations to your cosmos db data.
Moreover,if your data is formatted as files,I suggest you using Blob Storage because the cost of cosmos db is maybe a little higher.
Upvotes: 1
Related Questions
- When to use Microsoft.Azure.Cosmos over Microsoft.Azure.DocumentDB?
- Azure SQL API vs Azure Mongo API
- Microsoft Azure DocumentDB vs Azure Table Storage
- CosmosDB encryption at rest
- Is user data encryption required with CosmosDB?
- Azure SQL DB (EAV) vs Azure Cosmos DB
- Azure Key vault vs Storage encryption
- Why am I able to see data in Azure Document DB if it is encrypted?
- Azure data storage encryption?
- SQL Azure - What type of encryption to use?