Determine which Azure Storage encryption key model is in use for the storage account
Article
Data in your storage account is automatically encrypted by Azure Storage. Azure Storage encryption offers two options for managing encryption keys at the level of the storage account:
Microsoft-managed keys. By default, Microsoft manages the keys used to encrypt your storage account.
Customer-managed keys. You can optionally choose to manage encryption keys for your storage account. Customer-managed keys must be stored in Azure Key Vault.
Additionally, you can provide an encryption key at the level of an individual request for some Blob storage operations. When an encryption key is specified on the request, that key overrides the encryption key that is active on the storage account. For more information, see Specify a customer-provided key on a request to Blob storage.
To check the encryption model for the storage account by using the Azure portal, follow these steps:
In the Azure portal, navigate to your storage account.
Select the Encryption setting and note the setting.
The following image shows a storage account that is encrypted with Microsoft-managed keys:
And the following image shows a storage account that is encrypted with customer-managed keys:
To check the encryption model for the storage account by using PowerShell, call the Get-AzStorageAccount command, then check the KeySource property for the account.
If the value of the KeySource property is Microsoft.Storage, then the account is encrypted with Microsoft-managed keys. If the value of the KeySource property is Microsoft.Keyvault, then the account is encrypted with customer-managed keys.
To check the encryption model for the storage account by using Azure CLI, call the az storage account show command, then check the keySource property for the account.
If the value of the keySource property is Microsoft.Storage, then the account is encrypted with Microsoft-managed keys. If the value of the keySource property is Microsoft.Keyvault, then the account is encrypted with customer-managed keys.
Learn how Azure Storage provides multilayered security to protect your data with access keys, secure networks, and Advanced Threat Protection monitoring.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.