In Azure some services are encrypted by default by using the keys that managed by Azure. When you create a storage account for the first time that storage account is by default encrypted with Azure managed key. Azure storage account is is encrypted and decrypted transparently using 256-bit AES encryption, and its one of the strongest ciphers available. It also compliant with FIPS 140-2.
But for compliant need some organization needs to have more secure way of encrypting the storage account at rest. Some organization has requirement to use customer managed encryption key without using the Azure managed key. In a case of this we need to use Azure storage account with Azure Key Vault create our own encryption key and use it for encryption.
For customer managed keys we use Azure Key Vault to store the keys we used for storage encryption keys. We can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The storage account and the Key Vault should be in the same region to encrypt the storage accounts.
Before we enable this we need to have following prerequisites.
- Azure Account
- Storage Account
- Azure Key Vault
Create a Storage Account
First we need to create a storage account as follow. Click Create
Next provide the details for the storage account creation. Click Review + Create
Create Azure Key Vault
Create a Key Vault as follows. Search in Azure Portal for Key Vault we can find it as below.
Next provide the configuration settings need for Key Vault creation. Click Create
Encrypt the Storage Account
We will walkthrough how to encrypt the storage account using customer managed key.
Select the the Storage Account and click Encryption
Under Encryption select Use your own key, Next under Encryption Key, Select from Key Vault
Under Key Vault select the Key Vault using for the encryption.
Next under Encryption Key select the key from the Key Vault. If you have a key already in the vault we can use it, otherwise we need to create a new key as below.
Configure the new key values as below. Click Create
Next select the key click Save
After configure the Key Vault encryption it shown as follows.
Now Storage Account use the key define in the key vault to encrypt the data at rest inside the storage account.