Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Customer-managed keys (CMK) are encryption keys that you create and manage in your own key store. This article shares best practices for customer-managed keys in the FHIR® service to help you improve control over data encryption and access. You use Azure Key Vault to create and manage CMK, and then use the keys to encrypt the data stored by the FHIR® service.
Rotate keys often
Follow security best practices and rotate keys often. You must rotate keys used with the FHIR service manually. When you rotate a key, update the version of the existing key or set a new encryption key from a different storage location. Always keep existing keys enabled when adding new keys because they're still needed to access the data that was encrypted with them.
To rotate the key by generating a new version of the key, use the az keyvault key rotate command. For more information, see Azure Key Vault rotate command.
Update the FHIR service after changing a managed identity
If you change the managed identity in any way, such as moving your FHIR service to a different tenant or subscription, the FHIR service can't access your keys. You must update the service manually by using an ARM template deployment. For steps, see Use an ARM template to update the encryption key.
Disable public access with a firewall
When you use a key vault with a firewall to disable public access, you must enable the option to Allow trusted Microsoft services to bypass this firewall.
Next steps
Configure customer-managed keys for the FHIR service
Note
FHIR® is a registered trademark of HL7 and is used with the permission of HL7.