Can infrastructure (double) encryption be enabled on an existing Azure Service Bus namespace? Does it require the namespace to be recreated?

Question

Can infrastructure (double) encryption be enabled on an existing Azure Service Bus namespace? Does it require the namespace to be recreated?

Hailey Martinez 0

Can infrastructure (double) encryption be enabled on an existing Azure Service Bus namespace, without recreating the namespace?

namespace is using Microsoft managed keys
Premium service bus namespace

Would like to implement this standard but not sure if it requires recreation/downtime to achieve.

0 comments

2 answers

Your answer

Answer 1

Hi @Hailey Martinez ,

Thanks for reaching out to Microsoft Q&A.

Currently, to enable infrastructure encryption, your namespace must switch from using Microsoft-managed keys to customer-managed keys. You can enable this later by updating your Azure Resource Manager template with the requireInfrastructureEncryption property.

Importantly, you don’t need to recreate the namespace to implement this change, so you should be able to do this without downtime.

Here's a snippet of how to update it in your template:

"properties": {
   "encryption": {
      "keySource": "Microsoft.KeyVault",
      "requireInfrastructureEncryption": true,
      "keyVaultProperties": [
         {
            "keyName": "[parameters('keyName')]",
            "keyVaultUri": "[parameters('keyVaultUri')]"
         }
      ]
   }
}

Steps to Enable Double Encryption:

Confirm that you want to switch from Microsoft-managed keys to customer-managed keys.
Update the configuration using the Azure Resource Manager template as shown above.
Validate that the change is successfully applied.

References:

Hope it helps!

Please do not forget to click "Accept the answer” and Yes, this can be beneficial to other community members.

User's image

If you have any other questions, let me know in the "comments" and I would be happy to help you.

Hailey Martinez 0 Reputation points

2025-12-18T17:54:28.31+00:00

Hello @Pravallika KV thank you for the swift response!

From what I understand,

Switching from Microsoft managed keys to customer managed keys will NOT cause downtime

Enabling the requireInfrastructureEncryption will NOT cause downtime

Namespace recreation is NOT neccesssary.

If there are any inconsistencies in my understanding, please correct me! If not, thank you again for the quick response :)
Pravallika KV 12,820 Reputation points Microsoft External Staff Moderator

2025-12-18T17:57:11.32+00:00

@Hailey Martinez ,Yes, your understanding is correct.

If all your concerns have been resolved, kindly take a moment to accept the answer and upvote it 👍 it as a token of appreciation. This helps both us and others in the community.

Answer 2

Yes, infrastructure (double) encryption can be enabled on an existing Azure Service Bus namespace that is using Microsoft-managed keys. This can be done without recreating the namespace. You can switch from Microsoft-managed keys to customer-managed keys and enable infrastructure encryption by updating the Azure Resource Manager template with the requireInfrastructureEncryption property. This means that there is no need for downtime or recreation of the namespace to implement this standard.

References:

Share via

Can infrastructure (double) encryption be enabled on an existing Azure Service Bus namespace? Does it require the namespace to be recreated?

2 answers

Your answer