We develop a cloud based SaaS solution suitable for multiple tenants. For very sensitive data, we need to isolate tenants and provide end-to-end encryption for users assigned to this tenant. Not even the operators of the SaaS solution provider should be able to decrypt the data.
Azure Storage
I see that i could use the client-side encryption feature along with Azure Key Value for Azure Storage to accomplish this, allowing every tenant to provide a separate Azure KeyVault account which manages the encryption keys.
Azure Cosmos DB
As Azure Cosmos DB provides superior features regarding scalability, we would like to use Cosmos over Azure Storage. However, i didn't find a comparable feature for Cosmos DB providing end-to-end encryption capabilitys. The only Cosmos DB encryption feature i found is encryption at rest.
So my question is:
Is there a comparable feature for Azure Cosmos DB i could use to achieve the same goal (end-to-end encryption)?
I've got an answer from the Azure Cosmos DB Team on Twitter
Cosmos DB currently only supports encryption at rest and in transit. BYOK scenarios are on their roadmap.
Update: The Feature is now generally available.