Azure KeyVault for SSE in different subscriptions

Question

Hello Community,

I've got a question about building multi environment architecture for Azure KeyVault. My customer want to use Server Side Encryption with Customer Management Keys scenario for Azure KeyVault but the KeyVault service has to be separated (by subscrioption or another tenant) form production environments. The main scenario is encrypting VM's HDD (bitlocker and dm-crypt). Customer has plan to implement encryption for AKS Cluster, Backup and Storage account.

The question is: is it possible to build secure architecture for KeyVault in SSE scenario for 2 subscriptions (one with KeyVault services and second for rest of architecture)? Any ideas?

BR,

Marek

Answer 1

Hi Marek,

No, unfortunately this is not possible as all resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) is required to be in the same subscription and region.   

Customer-managed keys rely on managed identities for Azure resources and when you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work.

Please refer to the restrictions section of the documentation.