Blob Encryption

Rahul 21 Reputation points
2022-03-25T11:44:14.633+00:00

How do I enable CMK encryption for the activity log storage container using the portal? If I enable CMK encryption while creating a storage acc or after creating it, does it apply to all the blob containers as well?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,834 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,552 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andriy Bilous 11,011 Reputation points MVP
    2022-03-25T12:53:21.047+00:00

    Hello @Rahul

    When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data in Blob storage, Azure Files, Tables and Queues.
    You need to use Encryption scopes to manage encryption at the level of an individual blob or container.
    You can create Encryption scopes in Azure Portal:

    1. Navigate to your storage account in the Azure portal.
    2. Select the Encryption setting.
    3. Select the Encryption Scopes tab.
    4. Click the Add button to add a new encryption scope.
    5. In the Create Encryption Scope pane, enter a name for the new scope.
    6. Select the desired type of encryption key support, Customer-managed keys.
    7. Select a subscription and specify a key vault or a managed HSM and a key to use for this encryption scope.
      186944-image.png

    https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

    When you create a container, it will automatically select an encryption scope, but you can’t change the encryption scope after the container is created since the encryption scope when created is already defined by the encryption parameters, i.e., Microsoft-managed default keys or Customer managed keys.

    You can select the customer managed key encryption scope at the time of creating a container or blob as shown in the screenshot below.
    186992-image.png
    https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?toc=%2Fazure%2Fstorage%2Fqueues%2Ftoc.json&tabs=portal