01 Run keyvault create command (Windows/macOS/Linux) to create the Azure Key Vault that will store the new Customer-Managed Key (CMK):
az keyvault create
--name cc-log-data-key-vault
--resource-group cloud-shell-storage-westeurope
--location westeurope
02 The command output should return the configuration information available for the newly created Azure Key Vault:
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-log-data-key-vault",
"location": "westeurope",
"name": "cc-log-data-key-vault",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
"permissions": {
"certificates": [
"all"
],
"keys": [
"all"
],
"secrets": [
"all"
],
"storage": [
"all"
]
},
"tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
}
],
"createMode": null,
"enablePurgeProtection": null,
"enableRbacAuthorization": null,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"hsmPoolResourceId": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"sku": {
"family": "A",
"name": "standard"
},
"softDeleteRetentionInDays": 90,
"tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
"vaultUri": "https://cc-log-data-key-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"systemData": {
"createdAt": "2022-08-11T15:24:31.689000+00:00",
"createdBy": "user@domain.com",
"createdByType": "User",
"lastModifiedAt": "2022-08-11T15:24:31.689000+00:00",
"lastModifiedBy": "user@domain.com",
"lastModifiedByType": "User"
},
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
03 Run keyvault key create command (Windows/macOS/Linux) to create a new Customer-Managed Key (CMK) within the Azure Key Vault created at the previous step:
az keyvault key create
--name cc-log-data-key
--vault-name cc-log-data-key-vault
--kty RSA
--ops encrypt decrypt wrapKey unwrapKey sign verify
--size 2048
04 The command output should return the configuration information for the new CMK:
{
"attributes": {
"created": "2022-08-11T15:26:54+00:00",
"enabled": true,
"expires": null,
"exportable": false,
"notBefore": null,
"recoverableDays": 90,
"recoveryLevel": "Recoverable+Purgeable",
"updated": "2022-08-11T15:26:54+00:00"
},
"key": {
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"keyOps": [
"encrypt",
"decrypt",
"wrapKey",
"unwrapKey",
"sign",
"verify"
],
"kid": "https://cc-log-data-key-vault.vault.azure.net/keys/cc-log-data-key/abcdabcd1234abcd1234abcd1234abcd",
"kty": "RSA",
"n": "...",
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"releasePolicy": null,
"tags": null
}
05 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy of the Azure Key Vault created earlier in the process with the appropriate permissions:
az keyvault set-policy
--name cc-log-data-key
--object-id 1234abcd-1234-abcd-1234-abcd1234abcd
--key-permissions get wrapkey unwrapkey
06 The command output should return the information available for the reconfigured key vault:
{
"id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-log-data-key-vault",
"location": "westeurope",
"name": "cc-log-data-key-vault",
"properties": {
{
"applicationId": null,
"permissions": {
"certificates": null,
"keys": [
"get",
"wrapKey",
"unwrapKey"
],
"secrets": null,
"storage": null
},
}
],
...
"createMode": null,
"enablePurgeProtection": true,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"vaultUri": "https://cc-log-data-key-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
07 Run storage account update command (Windows/macOS/Linux) using the ID of the Azure Storage account that you want to reconfigure as the identifier parameter, to configure encryption at rest with the Customer-Managed Key (CMK) created at the previous steps for the selected storage account and all the data containers created inside the storage account:
az storage account update
--name abcd1234abcdabcd1234abcd
--resource-group cloud-shell-storage-westeurope
--encryption-key-source=Microsoft.Keyvault
--encryption-key-vault https://cc-log-data-key-vault.vault.azure.net/
--encryption-key-name cc-log-data-key
--encryption-key-version abcdabcd12341234abcdabcd12341234
--encryption-services blob
08 The command output should return the configuration information available for the modified storage account:
{
"accessTier": null,
"azureFilesIdentityBasedAuthentication": null,
"creationTime": "2022-08-11T15:26:54+00:00",
"customDomain": null,
"enableHttpsTrafficOnly": false,
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyVaultProperties": {
"keyName": "cc-log-data-key",
"keyVaultUri": "https://cc-log-data-key-vault.vault.azure.net/",
"keyVersion": "abcdabcd12341234abcdabcd12341234"
},
"services": {
"blob": {
"enabled": true,
"lastEnabledTime": "2022-08-11T15:26:54+00:00"
},
"file": {
"enabled": true,
"lastEnabledTime": "2022-08-11T15:26:54+00:00"
}
}
},
...
"primaryLocation": "westeurope",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"secondaryEndpoints": null,
"secondaryLocation": null,
"sku": {
"capabilities": null,
"kind": null,
"locations": null,
"name": "Standard_LRS",
"resourceType": null,
"restrictions": null,
"tier": "Standard"
},
"statusOfPrimary": "available",
"statusOfSecondary": null,
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
09 Repeat steps no. 1 – 8 for each subscription created within your Microsoft Azure cloud account.