We need to encrypt postgres instance with a customer CMK from another tenant.

Question

We need to encrypt postgres instance with a customer CMK from another tenant.

Rohit Khansili 0

We have a use case where we need to encrypt data at rest for a postgres instance inside our tenant but using a customer CMK. The customer is hosted in an external microsoft tenant - is this possible? According to doc re: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-data-encryption?WT.mc_id=Portal-HubsExtension#requirements-for-configuring-data-encryption-for-azure-database-for-postgresql-flexible-server it's not supported - Key Vault and Azure Database for PostgreSQL Flexible Server must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving the Key Vault resource afterward requires you to reconfigure the data encryption.

could you please verify?

Mahesh Kurva 4,555 Reputation points Microsoft External Staff Moderator

2025-06-06T01:14:51.7333333+00:00

Hi Rohit Khansili,

I kindly request you to please share the details requested in the private message.
Mahesh Kurva 4,555 Reputation points Microsoft External Staff Moderator

2025-06-12T16:08:36.2333333+00:00

Hi Rohit Khansili,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Mahesh Kurva 4,555 Reputation points Microsoft External Staff Moderator

2025-06-06T01:14:51.7333333+00:00

Hi Rohit Khansili,

I kindly request you to please share the details requested in the private message.
Mahesh Kurva 4,555 Reputation points Microsoft External Staff Moderator

2025-06-12T16:08:36.2333333+00:00

Hi Rohit Khansili,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi Rohit Khansili,

cross-tenant interactions are not supported for configuring data encryption with a customer-managed key (CMK) in Azure Database for PostgreSQL. The Key Vault and the Azure Database for PostgreSQL Flexible Server must belong to the same Microsoft Entra tenant.

This means that it is not possible to configure data encryption for a PostgreSQL instance using a CMK if the Key Vault and the database server are in different Microsoft Entra tenants. You would need to ensure that both the Key Vault and the PostgreSQL server are within the same tenant to utilize customer-managed keys for encryption.

User's image

We were told by a partner of ours that they use their keys in their tenant to do encryption in Snowflake running in another Azure account so it works for Azure and Snowflake (in Azure in a different tenant)?

Yes, your partner is correct: it is supported to use customer-managed keys (CMKs) stored in Azure Key Vault in one tenant to encrypt data in Snowflake running in another Azure tenant/account.

This is possible because Snowflake's Tri-Secret Secure architecture on Azure supports cross-tenant integration with Azure Key Vault.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

We need to encrypt postgres instance with a customer CMK from another tenant.

1 answer

Your answer