Create and manage encryption scopes

Encryption scopes enable you to manage encryption at the level of an individual blob or container. You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers. For more information about encryption scopes, see Encryption scopes for Blob storage.

This article shows how to create an encryption scope. It also shows how to specify an encryption scope when you create a blob or container.

Create an encryption scope

You can create an encryption scope that is protected with a Microsoft-managed key or with a customer-managed key that is stored in an Azure Key Vault or in an Azure Key Vault Managed Hardware Security Model (HSM). To create an encryption scope with a customer-managed key, you must first create a key vault or managed HSM and add the key you intend to use for the scope. The key vault or managed HSM must have purge protection enabled.

The storage account and the key vault can be in the same tenant, or in different tenants. In either case, the storage account and key vault can be in different regions.

An encryption scope is automatically enabled when you create it. After you create the encryption scope, you can specify it when you create a blob. You can also specify a default encryption scope when you create a container, which automatically applies to all blobs in the container.

When you configure an encryption scope, you are billed for a minimum of one month (30 days). After the first month, charges for an encryption scope are prorated on an hourly basis. For more information, see Billing for encryption scopes.

To create an encryption scope in the Azure portal, follow these steps:

  1. Navigate to your storage account in the Azure portal.

  2. Under Security + networking select Encryption.

  3. Select the Encryption Scopes tab.

  4. Click the Add button to add a new encryption scope.

  5. In the Create Encryption Scope pane, enter a name for the new scope.

  6. Select the desired type of encryption key support, either Microsoft-managed keys or Customer-managed keys.

    • If you selected Microsoft-managed keys, click Create to create the encryption scope.
    • If you selected Customer-managed keys, then select a subscription and specify a key vault and a key to use for this encryption scope. If the desired key vault is in a different region, select Enter key URI and specify the key URI.
  7. If infrastructure encryption is enabled for the storage account, then it will automatically be enabled for the new encryption scope. Otherwise, you can choose whether to enable infrastructure encryption for the encryption scope.

    Screenshot showing how to create encryption scope in Azure portal

List encryption scopes for storage account

To view the encryption scopes for a storage account in the Azure portal, navigate to the Encryption Scopes setting for the storage account. From this pane, you can enable or disable an encryption scope or change the key for an encryption scope.

Screenshot showing list of encryption scopes in Azure portal

To view details for a customer-managed key, including the key URI and version and whether the key version is automatically updated, follow the link in the Key column.

Screenshot showing details for a key used with an encryption scope

Create a container with a default encryption scope

When you create a container, you can specify a default encryption scope. Blobs in that container will use that scope by default.

An individual blob can be created with its own encryption scope, unless the container is configured to require that all blobs use the default scope. For more information, see Encryption scopes for containers and blobs.

To create a container with a default encryption scope in the Azure portal, first create the encryption scope as described in Create an encryption scope. Next, follow these steps to create the container:

  1. Navigate to the list of containers in your storage account, and select the Add button to create a container.

  2. Expand the Advanced settings in the New Container pane.

  3. In the Encryption scope drop-down, select the default encryption scope for the container.

  4. To require that all blobs in the container use the default encryption scope, select the checkbox to Use this encryption scope for all blobs in the container. If this checkbox is selected, then an individual blob in the container cannot override the default encryption scope.

    Screenshot showing container with default encryption scope

If a client attempts to specify a scope when uploading a blob to a container that has a default encryption scope and the container is configured to prevent blobs from overriding the default scope, then the operation fails with a message indicating that the request is forbidden by the container encryption policy.

Upload a blob with an encryption scope

When you upload a blob, you can specify an encryption scope for that blob, or use the default encryption scope for the container, if one has been specified.

Note

When you upload a new blob with an encryption scope, you cannot change the default access tier for that blob. You also cannot change the access tier for an existing blob that uses an encryption scope. For more information about access tiers, see Hot, Cool, and Archive access tiers for blob data.

To upload a blob with an encryption scope via the Azure portal, first create the encryption scope as described in Create an encryption scope. Next, follow these steps to create the blob:

  1. Navigate to the container to which you want to upload the blob.

  2. Select the Upload button, and locate the blob to upload.

  3. Expand the Advanced settings in the Upload blob pane.

  4. Locate the Encryption scope drop-down section. By default, the blob is created with the default encryption scope for the container, if one has been specified. If the container requires that blobs use the default encryption scope, this section is disabled.

  5. To specify a different scope for the blob that you are uploading, select Choose an existing scope, then select the desired scope from the drop-down.

    Screenshot showing how to upload a blob with an encryption scope

Change the encryption key for a scope

To change the key that protects an encryption scope from a Microsoft-managed key to a customer-managed key, first make sure that you have enabled customer-managed keys with Azure Key Vault or Key Vault HSM for the storage account. For more information, see Configure encryption with customer-managed keys stored in Azure Key Vault or Configure encryption with customer-managed keys stored in Azure Key Vault.

To change the key that protects a scope in the Azure portal, follow these steps:

  1. Navigate to the Encryption Scopes tab to view the list of encryption scopes for the storage account.
  2. Select the More button next to the scope you wish to modify.
  3. In the Edit encryption scope pane, you can change the encryption type from Microsoft-managed key to customer-managed key or vice versa.
  4. To select a new customer-managed key, select Use a new key and specify the key vault, key, and key version.

Disable an encryption scope

Disable any encryption scopes that are not needed to avoid unnecessary charges. For more information, see Billing for encryption scopes.

To disable an encryption scope in the Azure portal, navigate to the Encryption Scopes setting for the storage account, select the desired encryption scope, and select Disable.

Next steps