Blob Encryption

Question

How do I enable CMK encryption for the activity log storage container using the portal? If I enable CMK encryption while creating a storage acc or after creating it, does it apply to all the blob containers as well?

Answer 1

Hello @Rahul

When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data in Blob storage, Azure Files, Tables and Queues.
You need to use Encryption scopes to manage encryption at the level of an individual blob or container.
You can create Encryption scopes in Azure Portal:

1. Navigate to your storage account in the Azure portal.
2. Select the Encryption setting.
3. Select the Encryption Scopes tab.
4. Click the Add button to add a new encryption scope.
5. In the Create Encryption Scope pane, enter a name for the new scope.
6. Select the desired type of encryption key support, Customer-managed keys.
7. Select a subscription and specify a key vault or a managed HSM and a key to use for this encryption scope.
   

https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

When you create a container, it will automatically select an encryption scope, but you can’t change the encryption scope after the container is created since the encryption scope when created is already defined by the encryption parameters, i.e., Microsoft-managed default keys or Customer managed keys.

You can select the customer managed key encryption scope at the time of creating a container or blob as shown in the screenshot below.

https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?toc=%2Fazure%2Fstorage%2Fqueues%2Ftoc.json&tabs=portal