- Knowledge Base
- Microsoft Azure
- Storage Accounts
- Use BYOK for Storage Account Encryption
Ensure that your Azure Storage accounts are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By default, the data (blobs and files) stored within your Azure Storage accounts is encrypted using service-managed keys (i.e. Microsoft Managed Keys), therefore you may want to bring your own key for encrypting your cloud storage account data in order to you gain full control over who can use the encryption keys and who can access the encrypted data.
Audit
To determine if your Microsoft Azure Storage account data is encrypted with customer-managed keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to Azure Management Console.
02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.
03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box.
04 Click on the name of the Azure Storage account that you want to examine.
05 In the navigation panel, under Settings, choose Encryption to access the encryption configuration settings for the selected storage account.
06 On the Encryption page, check Customer-managed keys setting checkbox. If the checkbox is not selected, data-at-rest encryption using Bring Your Own Key (BYOK) is not enabled for the selected Microsoft Azure Storage account.
07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.
08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription:
az storage account list --query '[*].name'
02 The command output should return the requested resource identifiers (names):
[ "abcdabcdabcd123412341234", "abcd1234abcd1234abcd1234", "123412341234abcdabcdabcd" ]
03 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to examine as identifier parameter and custom query filters to obtain the name of the customer-managed key used for data encryption within the selected storage account. If the following storage account show command request does not produce an output, the data available in the selected Microsoft Azure Storage account is not encrypted using a customer-managed key (also known as Bring Your Own Key - BYOK):
az storage account show --name abcdabcdabcd123412341234 --query 'encryption.keyVaultProperties.keyName'
04 Repeat step no. 3 for each storage account provisioned in the current subscription.
05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To enable encryption at rest using Bring Your Own Keys (BYOKs) for all your Microsoft Azure Storage accounts, perform the following actions:
Using Azure Portal
01 Sign in to Azure Management Console.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults and click + Add to create the Azure Key Vault that will store the customer-managed key.
03 On the Create key vault page, perform the following commands:
- On the Basics panel, choose the appropriate subscription, provide a unique name for the new key vault, then select the Azure region and the resource group where the vault will be deployed. Click Next : Access policy > to continue.
- On the Access policy panel, click Add Access Policy to create the policy that allows Microsoft Azure Storage service to retrieve, recover, wrap and unwrap encryption keys from the new vault. Once the policy is configured click Add to attach it. Click Next: Networking > to continue the setup process.
- On the Networking panel, configure the network access control for the new key vault. Ensure that only trusted Azure services and/or networks can access the vault. Click Next : Tags > to continue.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Click Next : Review + create > to validate the setup.
- On the Review + create panel, review the resource configuration details, then click Create to create your new Azure Key Vault.
04 Click on the name of the newly created Microsoft Azure Key Vault.
05 In the navigation panel, under Settings, select Keys, then click Generate/Import button to create the customer-managed key required for the Azure Storage accounts encryption.
06 On the Create a key panel, in the Name box, provide a name for your new encryption key, choose an activation and/or expiration date, then click Create to generate your new customer-managed key (Bring Your Own Key - BYOK).
07 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.
08 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box.
09 Click on the name of the Azure Storage account that you want to reconfigure.
10 In the navigation panel, under Settings, choose Encryption to access the encryption configuration settings for the selected storage account.
11 On the Encryption page, select Customer-managed keys checkbox and perform the following actions:
- For Encryption key, choose Select from Key Vault option.
- Click Select under Key Vault and select the Azure Key Vault created at the previous steps.
- Click Select under Encryption key and select the customer-managed key created earlier in the process.
- Click Save to apply the changes and enable encryption with BYOK for the selected Microsoft Azure Storage account.
12 Repeat steps no. 9 – 11 for each storage account created within the selected subscription.
13 Repeat steps no. 2 – 11 for each subscription available in your Microsoft Azure cloud account.
Using Azure CLI
01 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to reconfigure as identifier parameter to describe the ID of the storage account principal:
az storage account show --name abcdabcdabcd123412341234 --query 'identity.principalId'
02 The command output should return the requested storage account principal ID:
"abcdabcd-1234-1234-1234-abcdabcdabcd"
If the command output didn't return as shown in the example above, the requested principal ID is missing, therefore you need to assign your identity to storage account. Run storage account update command using the storage account name and resource group name as parameter:
az storage account update --name abcdabcdabcd123412341234 --resource-group cloud-shell-storage-westeurope --assign-identity
03 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key will be placed:
az keyvault create --name cc-production-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enabled-for-deployment true --enabled-for-template-deployment true --enable-soft-delete true --enable-purge-protection true --query 'properties.accessPolicies[*].objectId'
04 The command output should return the Key Vault ID set for new Microsoft Azure Key Vault:
[ "abcdabcd-1234-1234-1234-abcdabcdabcd" ]
05 Run keyvault set-policy command (Windows/macOS/Linux) using the principal ID as object id which get from step 02 and the name of the newly created key vault as identifier parameters to assign the right permissions for the selected vault:
az keyvault set-policy --name cc-production-vault --object-id abcdabcd-1234-1234-1234-abcdabcdabcd --key-permissions get recover unwrapKey wrapKey
06 The command output should return the modified key vault configuration metadata:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault", "location": "westeurope", "name": "cc-production-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "...", "permissions": { "certificates": [ "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover" ], "keys": [ "get", "create", "delete", "list", "update", "import", "backup", "restore", "recover" ], "secrets": [ "get", "list", "set", "delete", "backup", "restore", "recover" ], "storage": [ "get", "list", "delete", "set", "update", "regeneratekey", "setsas", "listsas", "getsas", "deletesas" ] }, "tenantId": "..." }, { "applicationId": null, "objectId": "...", "permissions": { "certificates": null, "keys": [ "get", "recover", "unwrapKey", "wrapKey" ], "secrets": null, "storage": null }, "tenantId": "..." } ], "createMode": null, "enablePurgeProtection": true, "enableSoftDelete": true, "enabledForDeployment": true, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": true, "networkAcls": null, "provisioningState": "Succeeded", "sku": { "name": "standard" }, "tenantId": "...", "vaultUri": "https://cc-production-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "tags": {}, "type": "Microsoft.KeyVault/vaults" }
07 Run keyvault key create command (Windows/macOS/Linux) to create the customer-managed key (Bring Your Own Key - BYOK), required to encrypt data within your Microsoft Azure Storage account:
az keyvault key create --name cc-production-byok --vault-name cc-production-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2020-12-05T10:30:00Z" --protection software --disabled false --query 'key.kid'
08 The command output should return the ID of the new customer-managed key. This identifier contains the encryption key version, a 32-digit number (e.g. "12345678901234567890123456789012") that will be used later as value for the --encryption-key-version parameter, to enable encryption for your storage account:
"12345678901234567890123456789012"
09 Run storage account update command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to reconfigure as identifier parameter (see Audit section part I to identify the right resource identifier), to enable encryption with BYOK for the selected storage account (the command does not produce an output):
az storage account update --name abcdabcdabcd123412341234 --encryption-key-name cc-production-byok --encryption-key-version 12345678901234567890123456789012 --encryption-key-source Microsoft.Keyvault --encryption-key-vault https://cc-production-vault.vault.azure.net/
10 Repeat step no. 9 for each storage account created within the current Azure subscription.
11 Repeat steps no. 1 – 10 for each subscription available in your Microsoft Azure cloud account.