Azure resources should support customer-managed key for encryption at rest

[SvenAelterman]

Description

As a TRE Administrator
I want to deploy TRE in a manner compliant with common regulatory frameworks, like NIST SP 800-171 R2 and Microsoft's built-in compliance initiatives for those frameworks
So that research takes place in a compliant environment

Acceptance criteria

• CMK support for resources that support it in core (storage accounts, storage disks) #4142
• Support for storing the encryption keys of core resources in an external Key Vault #4143
• CMK support for Cosmos DB (even though this is part of core, this case is listed separately as it requires special handling since the implementation is not straightforward) #4144
• CMK support for resources outside of core #4145
• Support for storing the encryption keys of non-core resources (such as workspaces) in an external Key Vault #4147
• Support for storing the encryption keys in an external HSM #4146
• Adding the enable_cmk_encryption option to the CI #4148
• Block redeployment of TRE with CMK enabled if it has previously been deployed without it. #4172
• Use CMK blocks rather than CMK resources in Terraform #4241

[fortunkam]

We have a couple of options where to host the keys.

1. Use the KeyVault deployed as part of the Instance?
2. Add a new KeyVault (plus managed identity for rotation) to the instance resource group dedicated for keys
3. Add a new KeyVault (plus managed identity for rotation) to the management resource group dedicated for keys

I tend to lean towards option 3 because it opens up options for customers that are using Managed HSM?

The is the Landing Zone Guidance, it implies a KeyVault per application.

[marrobi]

I think we need to allow for managed HSM. Could the KeyVault ID be configurable, defaulting to one in the management RG?

[fortunkam]

Agreed, this would also lean us towards option 3. Only downside is that I am not sure terraform for Managed HSM keys and Key Vault Keys are the same, need to investigate.

[SvenAelterman]

I have not had a requirement to support HSM, so perhaps that might not need to considered until someone needs it?

There will need to be keys in the core for core VMs and storage, etc. For the workspaces, the keys should be in the workspace.

I am not sure if there's a need for a new Key Vault. CMK isn't a new application/workload. The workload, IMO, is the workspace.

[marrobi]

We have a customer that needs this with managed HSM. :)