Client-Side Encryption

Explore client-side encryption in Cosmos DB using the Always Encrypted feature to control access to encryption keys and protect sensitive data. Learn how to generate and manage data encryption keys and customer-managed keys, apply encryption policies to container properties, and handle key rotation securely using Azure Key Vault and the Cosmos DB SDK. Understand encryption types and operational steps for securely storing and querying encrypted data.

We'll cover the following...

Always Encrypted
- How it works
Customer-managed keys
Usage

Always Encrypted

Client-side encryption (the Always Encrypted feature) lets us control keys and their access. The main benefit of it is that we can decide who can decrypt the data independently from their ability to access the container. On top of that, we can encrypt each property with different keys, which helps protect personally identifiable information (PII).

How it works

To encrypt our data, we need two different types of keys:

Data encryption keys (DEKs):
- Used to encrypt the data
- Generated by us
- Stored in the Cosmos DB database level (sharable between containers)
- Can’t be rotated
- Can’t control access
- Encryption happens on Cosmos DB
Customer-managed keys (CMKs):
- Used to wrap the DEKs
- Generated by us
- Stored by us
- Can be rotated
- Can control access
- Wrap happens in the SDK

Let’s see the process to start using the Always Encrypted feature. Everything has to be done through the SDK:

We tell the SDK how to get CMKs. ...

1.Welcome To Cosmos DB

2.Cosmos DB Fundamentals

Mini Project

3.Data Modeling

Mini Project

4.A Distributed Database

5.Change Feed

6.Security and Infrastructure

Mini Project

7.Server-Side Programming

8.Final Words

9.Conclusion

Client-Side Encryption

Always Encrypted

How it works