Closed perktime closed 2 months ago
@perktime Thanks for your feedback! We will investigate and update as appropriate.
@perktime Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly.
Are there any plans to support auto-rotation of encryption key from the MySQL Flexible Server perspective? Right now we need to configure versioned key id. AFAIK for example for Azure SQL Database or Azure Storage Account there is an option to configure versionless key id or at least tell the service to auto-rotate it upon detection of a new key in the Key Vault.
That would integrate nicely with Key Vault key auto-rotation feature. At the moment we can setup auto rotation for the Key Vault key but then as rotation occurs we still need to update MySQL Flexible Server either manually or via some additional automation.
Also, in the documention of Key Vault key auto-rotation feature there is a note (https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation#key-rotation-policy):
Key rotation generates a new key version of an existing key with new key material. Target services should use versionless key uri to automatically refresh to latest version of the key. Ensure that your data encryption solution stores versioned key uri with data to point to the same key material for decrypt/unwrap as was used for encrypt/wrap operations to avoid disruption to your services. All Azure services are currently following that pattern for data encryption.
Doesn't that mean MySQL Flexible Server actually does not follow that recommendation? Shouldn't that be implemented service-side?
Hi @SudheeshGH Any update on the issue.
There is a plan to update this doc by end of the year.
After careful consideration, we have decided to discontinue further updates.
This decision was not made lightly. Our team is committed to delivering the best possible experience, and focusing our efforts on Flexible Server will benefit you more in the long run.
Even though the article mentions key rotation, it does not explicitly state how this is to be accomplished. Could this get added to the article? From my understanding, Azure DB for MySQL Flexible Server does not currently support automatic key rotation so the following steps need to be done from what I can tell:
1) Create a new key with the required accesses while still retaining access to the old key (do not remove the old key) 2) Submit and validate the new key using the Azure CLI (az mysql flexible-server update --resource-group testGroup --name testserver \ --key \<key identifier of newKey> --identity newIdentity) 3) Make sure you can access the data with the new key 4) Delete the old key (not sure if this renders old backups inaccessible though like it does for Azure SQL so might want to caution on that if it is true)
Thank you, Pete
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.