If you are looking to bring BYOK for ChatGPT Open AI Service on Azure, read along!
In the realm of AI-driven data processing and storage, data security is a top priority for organizations. Azure OpenAI, a part of Azure AI services, addresses this concern by implementing robust data encryption mechanisms.
In this technical article, we explore the intricacies of data encryption at rest in Azure OpenAI and delve into the concept of customer-managed keys (CMK). By taking advantage of CMK and Azure Key Vault, organizations can customize their encryption strategies and elevate their data security to unprecedented levels.
Table of Contents
Azure OpenAI leverages cutting-edge data encryption practices to safeguard sensitive information when it’s persisted in the cloud. The encryption process adheres to FIPS 140-2 compliant 256-bit AES encryption, ensuring the highest level of security for the data at rest.
FIPS 140-2 compliant 256-bit AES encryption:
FIPS 140-2 compliant 256-bit AES encryption offers a high level of security, making it an excellent choice for protecting sensitive data at rest. It meets rigorous regulatory standards and is widely adopted across industries due to its efficiency and robustness. Organizations can choose to use Microsoft-managed keys or customer-managed keys for added flexibility in key management. Azure OpenAI leverages this encryption standard to ensure the confidentiality and integrity of data stored in the cloud.
The encryption is entirely transparent, meaning the encryption and access management are abstracted from users, eliminating the need to make modifications to existing code or applications. This default encryption scheme ensures data security right from the point of entry into the Azure OpenAI platform.
While Azure OpenAI provides automatic data encryption with Microsoft-managed keys, the platform also caters to organizations seeking enhanced control over their data security. Enter customer-managed keys (CMK) or Bring Your Own Key (BYOK) mechanism, which empowers users to exercise granular control over encryption keys.
CMK enables organizations to create, rotate, disable, and revoke access controls for their encryption keys. This level of control is indispensable for companies that must adhere to stringent regulatory and compliance requirements, as they can align their encryption practices with specific mandates.
To leverage customer-managed keys, Azure OpenAI mandates using Azure Key Vault – a specialized service designed to manage cryptographic keys, secrets, and certificates securely. Users can either generate their own keys and store them in the key vault or use Azure Key Vault APIs to generate keys tailored to their specific requirements.
The key vault and Azure AI services resource must coexist in the same region and Azure Active Directory (Azure AD) tenant. However, they can belong to different subscriptions, enabling users to maintain the desired separation of duties and access controls.
To avail of the benefits of customer-managed keys, users must submit the Azure AI services Customer-Managed Key Request Form, initiating the process of integration. The Azure team will evaluate the request, and within 3-5 business days, the user will receive a status update.
Enabling both the Soft Delete and Do Not Purge properties on the key vault is essential when activating customer-managed keys. The Soft Delete property ensures that accidentally deleted keys can be recovered, while the Do Not Purge property prevents the irreversible deletion of keys, maintaining control over their lifecycle.
Organizations considering customer-managed keys should be aware that Azure AI services encryption only supports RSA keys of size 2048. Users must carefully evaluate their encryption requirements and align their key management practices accordingly.
Below is a comparison table between system-managed keys and customer-managed keys with Azure Key Vault:
In summary, system-managed keys offer a simple and automated solution for basic encryption needs, as Azure handles all aspects of key management. On the other hand, customer-managed keys (CMK) provide organizations with granular control and customization options for encryption key management, making them suitable for scenarios with stringent security and compliance requirements. The choice between system-managed keys and customer-managed keys depends on the specific security needs and level of control desired by the organization.
Azure OpenAI’s robust data encryption and the flexibility of customer-managed keys through Azure Key Vault empower organizations to establish highly tailored data security strategies.
By integrating advanced encryption practices and embracing customer-managed keys, businesses can elevate their data protection measures to unprecedented levels, ensuring data confidentiality and compliance with regulatory standards.
As data security remains an ever-evolving field, staying informed about the latest encryption practices and updates from Azure is essential to maintain an edge in safeguarding valuable data assets.