Azure resources should support customer-managed key for encryption at rest

[SvenAelterman]

Description

As a TRE Administrator
I want to deploy TRE in a manner compliant with common regulatory frameworks, like NIST SP 800-171 R2 and Microsoft's built-in compliance initiatives for those frameworks
So that research takes place in a compliant environment

Acceptance criteria

CMK support for

• Storage accounts
• Resource processor VMSS
• ?

[fortunkam]

We have a couple of options where to host the keys.

1. Use the KeyVault deployed as part of the Instance?
2. Add a new KeyVault (plus managed identity for rotation) to the instance resource group dedicated for keys
3. Add a new KeyVault (plus managed identity for rotation) to the management resource group dedicated for keys

I tend to lean towards option 3 because it opens up options for customers that are using Managed HSM?

The is the Landing Zone Guidance, it implies a KeyVault per application.

[marrobi]

I think we need to allow for managed HSM. Could the KeyVault ID be configurable, defaulting to one in the management RG?

[fortunkam]

Agreed, this would also lean us towards option 3. Only downside is that I am not sure terraform for Managed HSM keys and Key Vault Keys are the same, need to investigate.

[SvenAelterman]

I have not had a requirement to support HSM, so perhaps that might not need to considered until someone needs it?

There will need to be keys in the core for core VMs and storage, etc. For the workspaces, the keys should be in the workspace.

I am not sure if there's a need for a new Key Vault. CMK isn't a new application/workload. The workload, IMO, is the workspace.

[marrobi]

We have a customer that needs this with managed HSM. :)