Share via

Limitations of Blobs encrypted using customer provided keys

Sanjay Bhosale 20 Reputation points
2024-05-14T11:21:22.3666667+00:00

While working on a POC where every blob should be encrypted with customer provided keys. (I used encryption headers while uploading/downloading blob to avoid compute at my end.)

I found below 2 disadvantages with this mechanism:

  1. Using LCM, we can not move such blobs to different tiers. While through set tier its possible.
  2. Also such blobs can not be uploaded in archive tier.

Would like to know any way out of this limitation.

Note: This is lagging what AWS offers in SSE-C mechanism, where both above things are allowed

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,493 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 3,260 Reputation points Microsoft Employee
    2024-05-14T12:39:46.91+00:00

    Hi Sanjay Bhosale - Thanks for reaching out.

    Based on the documentation, yes this appears to be a limitation.

    https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview#known-issues-and-limitations

    https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-overview

    There doesn't seem to be any workaround and can be shared as shared as a feature request on below link:https://feedback.azure.com/d365community/forum/a8bb4a47-3525-ec11-b6e6-000d3a4f0f84Simultaneously, I would recommend reaching out to support team on this one for a closer look and discuss this briefly ahead.Please let us know if you have any further queries. I’m happy to assist you further.    

    Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.

  2. Anand Prakash Yadav 6,785 Reputation points Microsoft Vendor
    2024-05-15T08:47:55.69+00:00

    Hello Sanjay Bhosale,

    Thank you for posting your query here!

    Adding on to the previous response, using customer-provided keys (CPK) in Azure does not result in additional billing for encryption scopes because CPKs do not create an encryption scope. You're only billed for the regular storage and data transfer costs. Encryption scope billing applies only when you use customer-managed keys stored in Azure Key Vault or Microsoft-managed keys within defined encryption scopes.

    Also, you may create a Billing support request over here: https://azure.microsoft.com/en-us/support/create-ticket/.

    The ticket enables you to work closely with the support engineers and get a quick resolution to your issue.

    FYI: Azure Billing and Subscription Management support is included in the Basic Support Plan without any charge.https://azure.microsoft.com/en-us/support/plans/

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.