| title | Enable Double Encryption for Your Custer in Azure Data Explorer |
|---|---|
| description | This article describes how to enable infrastructure encryption (double encryption) during cluster creation in Azure Data Explorer. |
| ms.reviewer | toleibov |
| ms.topic | how-to |
| ms.custom | devx-track-arm-template |
| ms.date | 03/15/2026 |
When you create a cluster, the service automatically encrypts data at the service level. For greater data security, you can additionally enable double encryption.
When you enable double encryption, the cluster encrypts data in the storage account twice by using two different algorithms.
Important
- You can enable double encryption only during cluster creation.
- After you enable infrastructure encryption on your cluster, you can't disable it.
For code samples based on previous SDK versions, see the archived article.
-
In the Security tab, under Enable Double Encryption, select On. To remove double encryption, select Off.
-
Select Next:Network> or Review + create to create the cluster.
:::image type="content" source="media/double-encryption/double-encryption-portal.png" alt-text="Screenshot of security tab, showing double encryption being enabled on a new cluster.":::
You can enable infrastructure encryption during cluster creation by using C#.
Set up a managed identity by using the Azure Data Explorer C# client:
- Install the Azure Data Explorer NuGet package.
- Install the Azure.Identity NuGet package for authentication.
- Create a Microsoft Entra application and service principal that can access resources. Add role assignment at the subscription scope and get the required
Directory (tenant) ID,Application ID, andClient Secret.
-
Create your cluster by using the
enableDoubleEncryptionproperty:var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Directory (tenant) ID var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; //Application ID var clientSecret = "PlaceholderClientSecret"; //Client Secret var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret); var resourceManagementClient = new ArmClient(credentials, subscriptionId); var resourceGroupName = "testrg"; var subscription = await resourceManagementClient.GetDefaultSubscriptionAsync(); var resourceGroup = (await subscription.GetResourceGroupAsync(resourceGroupName)).Value; var clusters = resourceGroup.GetKustoClusters(); var clusterName = "mykustocluster"; var clusterData = new KustoClusterData( location: AzureLocation.EastUS, sku: new KustoSku(KustoSkuName.StandardE8adsV5, KustoSkuTier.Standard) { Capacity = 5 } ) { IsDoubleEncryptionEnabled = true }; await clusters.CreateOrUpdateAsync(WaitUntil.Completed, clusterName, clusterData);
-
Run the following command to check if you created your cluster successfully:
clusterData = (await clusters.GetAsync(clusterName)).Value.Data;
If the result contains
ProvisioningStatewith theSucceededvalue, you created your cluster successfully.
You can enable infrastructure encryption during cluster creation by using Azure Resource Manager.
You can use an Azure Resource Manager template to automate deployment of your Azure resources. To learn more about deploying to Azure Data Explorer, see Create an Azure Data Explorer cluster and database by using an Azure Resource Manager template.
Add the EnableDoubleEncryption type to tell Azure to enable infrastructure encryption (double encryption) for your cluster.
{
"apiVersion": "2020-06-14",
"type": "Microsoft.Kusto/clusters",
"name": "[variables('clusterName')]",
"location": "[resourceGroup().location]",
"properties": {
"trustedExternalTenants": [],
"virtualNetworkConfiguration": null,
"optimizedAutoscale": null,
"enableDiskEncryption": false,
"enableStreamingIngest": false,
"enableDoubleEncryption": true
}
}