Container registries should be encrypted with CMK
HIGH
Ensures Azure Container Registry uses customer-managed keys (CMK) for encryption of stored images.
What does this mean?
This optional recommendation enforces customer-managed key encryption on Azure Container Registry. This provides additional control over the encryption of container images and artifacts stored in the registry.
Benefits of implementation
- Full control over encryption keys for stored container images
- Meets compliance requirements for customer-managed encryption
- Consistent key management across Azure services
Drawbacks and considerations
- Requires Azure Key Vault and CMK infrastructure
- Premium SKU required for CMK support
- Key unavailability affects registry operations
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Container Security
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12