Encrypt Azure service bus using customer managed keys when data is already present

Question

I have a compliance activity to encrypt my Azure Service Bus premium to encrypt using a customer-managed key. However, Microsoft documentation states that the namespace must be devoid of queues, topics, and data. My ASB has data, up and running. I cannot afford to downtime to delete queues, enable encryption, and then continue. Are there any other options?

Answer 1

If you check this Configure customer-managed keys for encrypting Azure Service Bus document then you will find that -

Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption. Service Bus Premium uses Azure Storage to store the data. All the data that's stored with Azure Storage is encrypted using Microsoft-managed keys.

And it also has a limitation as you mentioned int the question that the encryption can only be enabled for new or empty namespaces. If the namespace contains any queues or topics, then the encryption operation will fail. There is no other option.

So we have the two type of encryption as follows -

• Encryption at Rest - Azure ensures the disks used in persisting the messages are encrypted either with Microsoft Managed Keys (which is the default) or customers managed keys to encrypt the disks.

• Encryption in Transit - This is basically protecting the medium which is used to transmit the data from point-to-point. A classic of this would be TLS/SSL encryption in Azure being used to encrypt the data transmitted.

For more information read the best practices in Securing Azure Service Bus and Encrypt Azure Service Bus Data at REST using User Keys documents.