How to bring BYOK for ChatGPT Open AI Service on Azure

How to bring BYOK for ChatGPT Open AI Service on Azure

If you are looking to bring BYOK for ChatGPT Open AI Service on Azure, read along!

In the realm of AI-driven data processing and storage, data security is a top priority for organizations. Azure OpenAI, a part of Azure AI services, addresses this concern by implementing robust data encryption mechanisms.

In this technical article, we explore the intricacies of data encryption at rest in Azure OpenAI and delve into the concept of customer-managed keys (CMK). By taking advantage of CMK and Azure Key Vault, organizations can customize their encryption strategies and elevate their data security to unprecedented levels.

How to bring BYOK for ChatGPT Open AI Service on Azure

Data Encryption in Azure OpenAI

Azure OpenAI leverages cutting-edge data encryption practices to safeguard sensitive information when it’s persisted in the cloud. The encryption process adheres to FIPS 140-2 compliant 256-bit AES encryption, ensuring the highest level of security for the data at rest.

FIPS 140-2 compliant 256-bit AES encryption:

Feature FIPS 140-2 Compliant 256-bit AES Encryption
Encryption Standard FIPS 140-2 compliant Advanced Encryption Standard (AES)
Key Size 256 bits
Security Certification FIPS 140-2 certification
Encryption Strength High-security level with a 256-bit key
Data Protection Provides strong data protection at rest
Algorithm Performance Efficient encryption and decryption process
Common Usage Widely used in various industries and applications
Encryption Speed Fast encryption and decryption speeds
Algorithm Robustness Resistant to known attacks and vulnerabilities
Regulatory Compliance Compliant with FIPS 140-2 standard
Key Management Flexibility Supports both Microsoft-managed and customer-managed keys
Implementation Complexity Relatively straightforward to implement
Integration with Azure Used in Azure OpenAI as part of Azure AI services
Data Security Assurance Provides strong assurance for data confidentiality
Industry Adoption Widely adopted in the industry for data encryption
Interoperability Compatible with various platforms and systems

FIPS 140-2 compliant 256-bit AES encryption offers a high level of security, making it an excellent choice for protecting sensitive data at rest. It meets rigorous regulatory standards and is widely adopted across industries due to its efficiency and robustness. Organizations can choose to use Microsoft-managed keys or customer-managed keys for added flexibility in key management. Azure OpenAI leverages this encryption standard to ensure the confidentiality and integrity of data stored in the cloud.

The encryption is entirely transparent, meaning the encryption and access management are abstracted from users, eliminating the need to make modifications to existing code or applications. This default encryption scheme ensures data security right from the point of entry into the Azure OpenAI platform.

Customer-Managed Keys (CMK) and Their Significance

While Azure OpenAI provides automatic data encryption with Microsoft-managed keys, the platform also caters to organizations seeking enhanced control over their data security. Enter customer-managed keys (CMK) or Bring Your Own Key (BYOK) mechanism, which empowers users to exercise granular control over encryption keys.

CMK enables organizations to create, rotate, disable, and revoke access controls for their encryption keys. This level of control is indispensable for companies that must adhere to stringent regulatory and compliance requirements, as they can align their encryption practices with specific mandates.

Utilizing Azure Key Vault for CMK

To leverage customer-managed keys, Azure OpenAI mandates using Azure Key Vault – a specialized service designed to manage cryptographic keys, secrets, and certificates securely. Users can either generate their own keys and store them in the key vault or use Azure Key Vault APIs to generate keys tailored to their specific requirements.

The key vault and Azure AI services resource must coexist in the same region and Azure Active Directory (Azure AD) tenant. However, they can belong to different subscriptions, enabling users to maintain the desired separation of duties and access controls.

Enabling CMK and Key Vault Properties

To avail of the benefits of customer-managed keys, users must submit the Azure AI services Customer-Managed Key Request Form, initiating the process of integration. The Azure team will evaluate the request, and within 3-5 business days, the user will receive a status update.

Enabling both the Soft Delete and Do Not Purge properties on the key vault is essential when activating customer-managed keys. The Soft Delete property ensures that accidentally deleted keys can be recovered, while the Do Not Purge property prevents the irreversible deletion of keys, maintaining control over their lifecycle.

Key Limitations and Considerations

Organizations considering customer-managed keys should be aware that Azure AI services encryption only supports RSA keys of size 2048. Users must carefully evaluate their encryption requirements and align their key management practices accordingly.

System-Managed Keys vs Customer-Managed Keys (CMK):

Below is a comparison table between system-managed keys and customer-managed keys with Azure Key Vault:

Feature System-Managed Keys Customer-Managed Keys (CMK)
Key Generation and Rotation Automatically generated and rotated by Azure Users generate and manage their encryption keys
Key Security and Access Control Fully managed by Azure Users have granular control over access controls
Key Storage and Backup Azure handles storage and backup Users manage key storage and backup
Key Deletion and Recovery Azure handles key deletion and recovery Users manage key deletion and recovery
Regulatory Compliance Compliant with relevant security standards Users can align encryption practices with
specific regulatory and compliance requirements
Integration with Azure Services Seamlessly integrated with Azure services It can be used with various Azure services
Implementation Complexity Simple and straightforward to implement Requires additional configuration and management
Use Cases Ideal for basic encryption needs Suited for organizations with stringent security
and compliance requirements
Key Rotation Policies Rotation policies managed by Azure Users can customize key rotation policies
Resource and Cost Management Less administrative overhead and cost More control over resource allocation and costs
Key Auditing Limited control over key auditing Users have visibility into key usage and access
Disaster Recovery Azure handles disaster recovery Users can design their disaster recovery plan

In summary, system-managed keys offer a simple and automated solution for basic encryption needs, as Azure handles all aspects of key management. On the other hand, customer-managed keys (CMK) provide organizations with granular control and customization options for encryption key management, making them suitable for scenarios with stringent security and compliance requirements. The choice between system-managed keys and customer-managed keys depends on the specific security needs and level of control desired by the organization.


Azure OpenAI’s robust data encryption and the flexibility of customer-managed keys through Azure Key Vault empower organizations to establish highly tailored data security strategies.

By integrating advanced encryption practices and embracing customer-managed keys, businesses can elevate their data protection measures to unprecedented levels, ensuring data confidentiality and compliance with regulatory standards.

As data security remains an ever-evolving field, staying informed about the latest encryption practices and updates from Azure is essential to maintain an edge in safeguarding valuable data assets.

Disclaimer: The Questions and Answers provided on are for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose.

What's your reaction?

In Love
Not Sure

You may also like

More in:Azure