| title | description | author | ms.service | services | ms.topic | ms.date | ms.author | ROBOTS |
|---|---|---|---|---|---|---|---|---|
Encryption of Azure IoT Hub data at rest using customer-managed keys| Microsoft Docs |
Encryption of Azure IoT Hub data at rest using customer-managed keys |
kgremban |
iot-hub |
iot-hub |
conceptual |
07/07/2021 |
kgremban |
NOINDEX |
IoT Hub supports encryption of data at rest using customer-managed keys (CMK), also known as Bring your own key (BYOK). Azure IoT Hub provides encryption of data at rest and in-transit as it's written in our datacenters; the data is encrypted when read and decrypted when written.
By default, IoT Hub uses Microsoft-managed keys to encrypt the data. With CMK, you can get another layer of encryption on top of default encryption and can choose to encrypt data at rest with a key encryption key, managed through your Azure Key Vault. This gives you the flexibility to create, rotate, disable, and revoke access controls. If BYOK is configured for your IoT Hub, we also provide double encryption, which offers a second layer of protection, while still allowing you to control the encryption key through your Azure Key Vault.
This capability requires the creation of a new IoT Hub (basic or standard tier). To try this capability, contact us through Microsoft support. Share your company name and subscription ID when contacting Microsoft support.