Customer Managed Encryption Key - Teradata® VantageCloud Enterprise on Azure

VantageCloud Enterprise on Azure (DIY) Installation and Administration Guide - 3.2.0.0
Deployment
VantageCloud
Edition
Enterprise
Product
Teradata® VantageCloud Enterprise on Azure
Release Number
3.2.0.0
Published
March 2026
ft:locale
en-US
ft:lastEdition
2026-04-07
dita:mapPath
cvo1751050001343.ditamap
dita:ditavalPath
kou1751058502043.ditaval
dita:id
eqk1475705518038
Product Category
Cloud

Customer Managed Encryption Keys (CMEK) allow you to encrypt VantageCloud Enterprise (DIY) resources using your own Azure Key Vault keys, giving you full ownership and control over encryption at rest.

With CMEK enabled, all supported VantageCloud components, including SQL Engine (SQLE), Ecosystem services, and backups, use customer owned keys for disk and storage encryption.

Supported CMEK Scenarios

Initial Deployment
  • CMEK can be configured during site provisioning
  • OS disks and data disks would be encrypted using a Disk Encryption Set (DES) linked to your key
Backup & Restore with CMEK
  • Azure Storage Account encrypted with the same CMEK
    Encryption of the Azure Storage Account with a customer managed key (CMEK) does not occur as part of the initial provisioning workflow.
  • Customers are responsible for manually enabling CMEK encryption on the Storage Account after site provisioning. Please refer to this Azure documentation.

CMEK Rotation – What Is Supported

Case 1: New Version of the Same Key
  • A new version of the existing key is created in Azure Key Vault
  • Azure updates the Disk Encryption Set (DES) to reference the new key version
  • Both automatic and manual DES updates are supported
Case 2: Switching to an Entirely New Key
  • A manual update of the Disk Encryption Set (DES) is required to point to the new key
  • Existing data is not re encrypted immediately
    • Previously encrypted disks continue using the old key until data is overwritten
  • Azure Storage Accounts follow the same behavior:
    • The storage account can be manual updated to use the new key
    • Existing backups still require the old key for access
In both cases, old key versions must remain accessible, as previously encrypted data and backups cannot be decrypted without them.

Important Considerations

Only one CMEK is supported per site for:
  • Database Engine
  • Ecosystem components
  • Backups (Storage Account)

Managed Disks and the Azure Key Vault must reside in the same Azure subscription and region. Cross subscription and cross-region Key Vaults are not supported.

Customer Responsibilities: When using CMEK, Teradata does not manage your keys. You are fully responsible for:
  • Key creation and configuration
  • Key rotation and version management
  • Access control (RBAC / policies)
  • Cost management
  • Security, availability, and lifecycle maintenance

You must ensure uninterrupted access to all active and historical key versions used by your VantageCloud site.

If a CMEK becomes inaccessible (disabled, destroyed, expired, or permissions revoked):
  • VantageCloud operations will stop
  • This can result in:
    • Data corruption
    • Data integrity issues
    • Permanent data loss
    • Operations resume only after a valid key is restored.