- Knowledge Base
- Microsoft Azure
- Storage Accounts
- Storage Account Encryption using Customer Managed Keys
Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e. default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By default, the data stored within your Azure Storage accounts (blobs, disks, files, queues, and tables) is encrypted using service-managed keys (i.e. Microsoft Managed Keys), therefore you may want to bring your own key for encrypting your cloud storage account data in order to gain full control over who can use the encryption keys and who can access the encrypted data. With CMKs, you can also choose to automatically update the key version used for storage encryption whenever a new version is available in the associated Azure Key Vault.
Audit
To determine if your Microsoft Azure Storage account data is encrypted using Customer Managed Keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to the Azure Management Console.
02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.
03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.
04 Click on the name (link) of the Azure Storage account that you want to examine.
05 In the blade navigation panel, under Security + networking, choose Encryption to access the encryption settings available for the selected storage account.
06 Choose the Encryption tab, and check the Encryption type configuration setting. If the Encryption type is set to Microsoft-managed keys, encryption at rest using Customer Managed Keys (CMKs) is not enabled for the selected Microsoft Azure Storage account.
07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.
08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier for each storage account available in the current Azure subscription:
az storage account list --query '[*].name'
02 The command output should return the requested resource identifiers (names):
[ "abcdabcdabcd123412341234", "abcd1234abcd1234abcd1234", "123412341234abcdabcdabcd" ]
03 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to examine as the identifier parameter and custom query filters to describe the name of the Customer Managed Key used for data encryption within the selected storage account. If the following storage account show command request does not produce an output, the data stored within the selected Microsoft Azure Storage account is not encrypted using a Customer Managed Key (CMK):
az storage account show --name abcdabcdabcd123412341234 --query 'encryption.keyVaultProperties.keyName'
04 Repeat step no. 3 for each storage account provisioned in the current Azure subscription.
05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To enable encryption at rest for your Microsoft Azure Storage accounts using Customer Managed Keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to the Azure Management Console.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and click + Create to create the Azure Key Vault that will store your new Customer Managed Key.
03 On the Create key vault setup page, perform the following commands:
- For Basics, choose the appropriate subscription and resource group, provide a unique name for the new key vault, then select the Azure cloud region where the vault will be deployed. You can also choose the pricing tier for the key vault at this point. Choose Next : Access policy > to continue.
- For Access policy, select Vault access policy for Permission model, and choose + Add Access Policy to create the policy that allows Microsoft Azure Storage service to retrieve, recover, wrap, and unwrap encryption keys from the new vault. Once the access policy is configured, choose Add to attach it to the key vault. Choose Next : Networking > to continue the setup process.
- For Networking, configure the network access control for the new key vault. Select the Connectivity method that you want to use and ensure that only trusted Azure services and/or networks can access your vault. Choose Next : Tags > to continue.
- For Tags, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next : Review + create > to validate the setup.
- For Review + create, review the resource configuration details, then choose Create to create your new Azure Key Vault.
04 Click on the name of the newly created Microsoft Azure Key Vault.
05 In the blade navigation panel, under Settings, select Keys, then choose + Generate/Import to create the Customer Managed Key required for the Azure Storage accounts encryption.
06 On the Create a key setup page, provide a unique name for the encryption key in the Name box, choose an activation and/or expiration date, set the Enabled flag to Yes, then choose Create to generate your new Customer Managed Key (CMK).
07 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.
08 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.
09 Click on the name of the Azure Storage account that you want to reconfigure.
10 In the blade navigation panel, under Security + networking, choose Encryption.
11 Choose the Encryption tab, and perform the following operations:
- For Encryption type, choose Customer-managed keys.
- For Encryption key, choose Select from key vault.
- For Key vault and key, click on the Select a key vault and key link and select the vault and key created earlier in the Remediation process.
- Choose Save to apply the changes. This will enable encryption with Customer Managed Keys (CMKs) for the selected Microsoft Azure Storage account.
12 Repeat steps no. 9 – 11 for each storage account created within the selected Azure subscription.
13 Repeat steps no. 2 – 11 for each subscription available in your Microsoft Azure cloud account.
Using Azure CLI
01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required Customer Managed Key will be placed:
az keyvault create --name cc-production-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enabled-for-deployment true --enabled-for-template-deployment true --query 'properties.accessPolicies[*].objectId'
02 The command output should return the object ID of the new Microsoft Azure Key Vault:
[ "abcdabcd-1234-1234-1234-abcdabcdabcd" ]
03 Run keyvault set-policy command (Windows/macOS/Linux) using the object ID and the name of the newly created key vault as the identifier parameters to assign the right permissions for the selected vault:
az keyvault set-policy --name cc-production-vault --object-id abcdabcd-1234-1234-1234-abcdabcdabcd --key-permissions get recover unwrapKey wrapKey
04 The command output should return the modified key vault configuration metadata:
{ "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault", "location": "westeurope", "name": "cc-production-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-1234-1234-abcdabcdabcd", "permissions": { "certificates": [ "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover" ], "keys": [ "get", "wrapKey", "recover", "unwrapKey" ], "secrets": [ "get", "list", "set", "delete", "backup", "restore", "recover" ], "storage": [ "get", "list", "delete", "set", "update", "regeneratekey", "setsas", "listsas", "getsas", "deletesas" ] }, "tenantId": "abcdabcd-1234-1234-1234-abcdabcdabcd" } ], "createMode": null, "enablePurgeProtection": null, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": true, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": true, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-1234-1234-abcdabcdabcd", "vaultUri": "https://cc-production-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2021-10-12T08:46:41.338000+00:00", "createdBy": "admin@domain.com", "createdByType": "User", "lastModifiedAt": "2021-10-12T08:45:05.813000+00:00", "lastModifiedBy": "admin@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
05 Run keyvault key create command (Windows/macOS/Linux) to create the Customer Managed Key (CMK), required to encrypt data within your Microsoft Azure Storage account:
az keyvault key create --name cc-production-cmk --vault-name cc-production-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2022-12-10T10:30:00Z" --protection software --disabled false --query 'key.kid'
06 The command output should return the ID of the new CMK. This identifier contains the encryption key version, a 32-digit number (e.g. "12345678901234567890123456789012") that will be used later as the value for the --encryption-key-version command parameter, to enable encryption for your storage account:
"12345678901234567890123456789012"
07 Run storage account update command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to reconfigure as the identifier parameter, to enable encryption with Customer Managed Keys (CMKs) for the selected storage account (the command does not produce an output):
az storage account update --name abcdabcdabcd123412341234 --encryption-key-name cc-production-cmk --encryption-key-version 12345678901234567890123456789012 --encryption-key-source Microsoft.Keyvault --encryption-key-vault https://cc-production-vault.vault.azure.net/
08 Repeat step no. 7 for each storage account created within the current Azure subscription.
09 Repeat steps no. 1 – 8 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Azure Storage encryption for data at rest
- Protect data at rest
- About Azure Storage encryption
- Security Control V2: Data Protection
- Azure Command Line Interface (CLI) Documentation
- az
- az storage account list
- az storage account show
- az storage account updated
- az keyvault
- az keyvault create
- az keyvault key
- az keyvault set-policy
- az keyvault key create