Azure Storage Encryption - MSDN Documentation

Overview

Azure Storage offers comprehensive encryption for data at rest, providing a robust security layer for your information. This documentation details the various encryption options available for Azure Storage services, including Blob storage, File storage, Queue storage, and Table storage.

Encryption is enabled by default for all new Azure Storage accounts. You can manage encryption settings and keys to meet your specific compliance and security requirements.

Types of Encryption

Service-Managed Keys (SMK)

By default, Azure Storage encrypts all data using Service-Managed Keys (SMK). These keys are managed by Microsoft, providing a secure and hassle-free encryption solution. You do not need to take any action to enable this type of encryption.

Key Features:

Automatic key management by Azure.
No additional configuration required.
Ensures data is encrypted at rest.

Customer-Managed Keys (CMK)

For enhanced control and compliance, Azure Storage supports Customer-Managed Keys (CMK). With CMK, you manage the encryption keys stored in Azure Key Vault. This allows you to rotate keys, control access, and audit key usage.

Key Features:

Full control over the lifecycle of encryption keys.
Integration with Azure Key Vault.
Option to enable or disable CMK.
Key rotation and revocation capabilities.

To use Customer-Managed Keys, you must have an Azure Key Vault instance and configure it appropriately.

Customer-Provided Keys (CPK)

Customer-Provided Keys (CPK) offer another layer of control where you supply the encryption key directly with each request to encrypt or decrypt data. This is useful for scenarios where you need to manage keys outside of Azure Storage or Key Vault.

Key Features:

Key management external to Azure.
Key is provided per operation.
Requires careful key management by the customer.

Using CPK can impact performance as the key must be provided for every operation. Ensure your key management process is robust.

Managing Encryption Settings

Enabling/Disabling CMK

You can manage Customer-Managed Keys through the Azure portal, Azure CLI, or PowerShell.

Azure CLI Example (Enabling CMK):


az storage account update \
    --name <your-storage-account-name> \
    --resource-group <your-resource-group-name> \
    --set encryption.keySource=Microsoft.Keyvault \
    --set encryption.keyVaultProperties.keyVaultUri=<your-keyvault-uri> \
    --set encryption.keyVaultProperties.keyName=<your-key-name> \
    --set encryption.keyVaultProperties.keyVersion=<your-key-version>

Access Control for Key Vault

When using CMK, ensure that your Azure Storage account has the necessary permissions to access the keys and secrets in your Azure Key Vault. This is typically managed through Key Vault access policies or Azure RBAC.

Required permissions include:

Get, WrapKey, and UnwrapKey for CMK.

Encryption for Specific Services

Blob Storage

All data written to Blob storage is encrypted at rest by default. You can configure CMK for Blob storage to manage your encryption keys.

File Storage

Azure Files also encrypts data at rest by default. CMK can be applied to Azure Files shares for enhanced control.

Queue Storage and Table Storage

Data in Queue storage and Table storage is encrypted at rest by default. While CMK is not directly configurable for these services, the underlying storage infrastructure benefits from Azure's encryption capabilities.

Best Practices

Always enable encryption for your Azure Storage accounts.
For sensitive data, strongly consider using Customer-Managed Keys (CMK) for greater control.
Regularly rotate your Customer-Managed Keys to enhance security.
Implement robust access control policies for your Azure Key Vault.
Keep your encryption keys secure and backed up.