Azure Data Lake Storage Gen V2 - Customer Managed Keys

grajee 341 Reputation points
2022-06-11T23:17:58.253+00:00

All,

I implemented "Customer Managed Keys" as per the link. Now, I don't know how to test it though. Can someone point me in in the right direction?

Thanks,
grajee

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,335 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,670 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 76,586 Reputation points Microsoft Employee
    2022-06-14T05:39:30.307+00:00

    Hello @grajee ,

    Thanks for the question and using MS Q&A platform.

    Please, consider read these two articles from the Azure documentation. The article one describes in depth how customer managed keys work, whereas the article second do the same for customer provided keys.

    In a nutshell, when you use a customer manager key you are indicating a key stored in Azure Key Vault that you want to use to encrypt/decrypt data in a storage account.

    Under the hood, this key will be used to encrypt/decrypt the key that in turn will be used to actually encrypt/decrypt the data in your storage account.

    This process will be performed transparently every time you interact with your storage account.

    211152-image.png

    The following list explains the numbered steps in the diagram:

    1. An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account.
    2. An Azure Storage admin configures encryption with a customer-managed key for the storage account.
    3. Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Azure AD.
    4. Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault.
    5. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

    When using customer provided keys, you need to provide the encryption key itself among certain metadata you want to use for encrypting/decrypting data when reading or writing your blob data, when performing your requests:

    211125-image.png

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    0 comments