Data encryption with Customer Managed keys for Azure Event Hubs - Microsoft Tech Community

We are excited to announce the public preview of data encryption at rest with Customer Managed Keys support for Azure Event Hubs. Azure Event Hubs provides encryption of data at rest and in transit. By default, Event Hubs uses Azure Storage Service Encryption using Microsoft-managed keys to encrypt the data. With Customer Managed keys support, customers now have the choice of encrypting the data with the keys managed by the customers.

Data encryption for Event Hubs with customer managed keys uses Azure Key Vault. Azure Key Vault uses hardware security models (HSMs) that are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. Access to a key vault requires proper authentication and authorization before you can get access. Authentication is done via Azure Active Directory and Authorization via role-based access control (RBAC).

How this works?

To enable data encryption with customer managed keys, Event Hubs assumes that customer Azure Active Directory, Key Vault and customer key (used for encryption) are available.


  1. Customer creates an Event Hubs namespace in their Dedicated Event Hubs cluster and enables customer managed key encryption.
  2. Customers start accessing the namespace to send and receive data.
  3. Each time a send and/or a receive operation is initiated, Event Hubs needs to obtain the customer managed key from Azure Key Vault. The service then unwraps to send and receive the event data.
  4. Event Hubs service, automatically handles this using Azure Active Directory and managed service identity to access customers key vault.
  1. clipboard_image_0.png

The data encryption with customer managed keys are enabled only on namespaces in Dedicated Event Hubs clusters and are not available for Standard Event Hubs namespaces. Once the namespace is enabled with customer managed key encryption, there is no opting out of this.


Once the encryption is enabled, customers can rotate their key in Azure Key Vault, this may be for compliance policies or security reasons. When the key rotation happens, Event Hubs re-encrypts the customer managed key for the Event Hubs resources. This is automatically taken care by the service and does not result in re-encrypting the entire data and there is no action the customer would need to take.


Using customer-managed keys with Event Hubs requires Soft Delete and Do Not Purge  properties enabled to help protect customers from ransomware scenarios.

Enabling this feature targets enterprise customers looking to protect sensitive data as part of their regulatory or compliance needs like the HIPAA, BAA compliance.


Note: Customer managed key for encryption with Event Hubs can be enabled only on Event Hubs namespaces, that are under a Dedicated Event Hubs cluster. Event Hubs cluster is Kafka enabled by default. Create a Dedicated cluster in the portal by following this link -