Overview of customer-managed keys

Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.

This article is part one in a four-part tutorial series. The tutorial covers:

About customer-managed keys

A customer-managed key gives you the ownership to bring your own key in Azure Key Vault. When you enable a customer-managed key, you can manage its rotations, control the access and permissions to use it, and audit its use.

Key features include:

• Regulatory compliance: Azure automatically encrypts registry content at rest with service-managed keys, but customer-managed key encryption helps you meet guidelines for regulatory compliance.

• Integration with Azure Key Vault: Customer-managed keys support server-side encryption through integration with Azure Key Vault. With customer-managed keys, you can create your own encryption keys and store them in a key vault. Or you can use Azure Key Vault APIs to generate keys.

• Key lifecycle management: Integrating customer-managed keys with Azure Key Vault gives you full control and responsibility for the key lifecycle, including rotation and management.

Before you enable a customer-managed key

Before you configure Azure Container Registry with a customer-managed key, consider the following information:

• This feature is available in the Premium service tier for a container registry. For more information, see Azure Container Registry service tiers.
• You can currently enable a customer-managed key only while creating a registry.
• You can't disable the encryption after you enable a customer-managed key on a registry.
• You have to configure a user-assigned managed identity to access the key vault. Later, if required, you can enable the registry's system-assigned managed identity for key vault access.
• Azure Container Registry supports only RSA or RSA-HSM keys. Elliptic-curve keys aren't currently supported.
• In a registry that's encrypted with a customer-managed key, you can retain logs for Azure Container Registry tasks for only 24 hours. To retain logs for a longer period, see View and manage task run logs.
• Content trust is currently not supported in a registry that's encrypted with a customer-managed key.

Update the customer-managed key version

Azure Container Registry supports both automatic and manual rotation of registry encryption keys when a new key version is available in Azure Key Vault.

• Automatically update the key version: When a registry is encrypted with a non-versioned key, Azure Container Registry regularly checks the key vault for a new key version and updates the customer-managed key within one hour. We suggest that you omit the key version when you enable registry encryption with a customer-managed key. Azure Container Registry will then automatically use and update the latest key version.

• Manually update the key version: When a registry is encrypted with a specific key version, Azure Container Registry uses that version for encryption until you manually rotate the customer-managed key. We suggest that you specify the key version when you enable registry encryption with a customer-managed key. Azure Container Registry will then use a specific version of a key for registry encryption.

For details, see Key rotation and Update key version.

Next steps

• To enable your container registry with a customer-managed key by using the Azure CLI, the Azure portal, or an Azure Resource Manager template, advance to the next article: Enable a customer-managed key.
• Learn more about encryption at rest in Azure.
• Learn more about access policies and how to secure access to a key vault.