Storage Account and Key Vault

rr-4098 1,176 Reputation points
2024-04-08T18:43:53.67+00:00

This may be a basic question, but if I am using Key Vault to manage and rotate keys every 14 days, does this mean when I go into Storage Account -> Key the vault is changing it or do I need to get all keys from the vault??? Never used key vault before

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,697 questions
0 comments
Accepted answer
  1. Anand Prakash Yadav 5,765 Reputation points Microsoft Vendor
    2024-04-10T12:16:29.59+00:00

    Hello rr-4098,

    Thank you for posting your query here!

    Azure Key Vault can manage and rotate your keys automatically. When you set up a rotation policy on a key in Azure Key Vault, it schedules automated rotation and can configure expiry notifications. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.

    So, you don't need to manually retrieve keys from Key Vault and update them in your Storage Account. Key Vault handles this process automatically, ensuring that your Storage Account always has access to the latest version of the keys for encryption and decryption operations.

    Also, you retrieve the key to connect to your Azure Storage Account from Azure Key Vault, not directly from the Storage Account's "Keys" section. Azure Key Vault provides centralized and secure management of keys, enabling controlled access and automated rotation for enhanced security.

    And if a storage account is set to private but is not using a private endpoint, it is still secure, but it may not be as secure as it could be with a private endpoint.

    While this setup restricts access to resources within specified IP ranges or virtual networks. A private endpoint provides a secure and scalable way for Azure resources, like virtual machines (VMs), to privately connect to Azure Storage. The private endpoint uses an IP address from your Virtual Network (VNet) and network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

    So, while a storage account set to private is secure, using a private endpoint provides an additional layer of security.

    I hope this helps! Please let me know if the issue persists or if you have any other questions.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 2,120 Reputation points Microsoft Employee
    2024-04-08T19:22:30.9933333+00:00

    Hi @rr-4098 - Thanks for reaching out over Q&A Forum.

    If you will be using key vault and rotate the keys every 14 days, it means, that key vault will be managing the rotation.

    At times there is a kind of requirement / compliance for keys rotation. When you rotate the keys, you need to update the newer keys at all the location where you have configured access keys in order to connect to storage account, else the application will tend to fail.

    With Key Vault, you manage this rotation while you connect to the application via key vault. The key vault shall internally pick the newer keys in order to connect to the storage and you will not have to worry about updating the newer keys manually.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#use-azure-key-vault-to-manage-your-access-keys

    Please let me know if this was helpful or have any further queries, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Azar 18,855 Reputation points
    2024-04-08T19:23:20.45+00:00

    Hi there rr-4098

    Thats a great question and thanks for using QandA platform

    With automatic key rotation enabled in Key Vault, it handles the key rotation processevery 14 days or as per your specified interval. What happens behind the scenes is that Key Vault generates new keys and updates the references in your Storage Account to use these fresh keys.

    When you navigate to the "Key" section of your Storage Account, you won't find the keys stored there. Instead, your Storage Account dynamically retrieves the keys it needs from Key Vault whenever access is required. this is to make sure that your data remains safeguarded without compromising on accessibility.

    Key Vault provides a centralized and secure repository for managing keys, secrets, and certificates. .

    In a nutshell, by leveraging Azure Key Vault for key management and rotation, you're enhancing the security posture of your Storage Account while simplifying key lifecycle management.

    If this helps kindly accept the answer thanks much.

    0 comments
  3. rr-4098 1,176 Reputation points
    2024-04-08T19:32:14.9633333+00:00

    Ok, let me ask this question. When I need to get the key to connect to my storage account, to I get i from the Storage Account under Keys or from the Key vault?