Determine which Azure Storage encryption key model is in use for the storage account

Data in your storage account is automatically encrypted by Azure Storage. Azure Storage encryption offers two options for managing encryption keys at the level of the storage account:

  • Microsoft-managed keys. By default, Microsoft manages the keys used to encrypt your storage account.
  • Customer-managed keys. You can optionally choose to manage encryption keys for your storage account. Customer-managed keys must be stored in Azure Key Vault.

Additionally, you can provide an encryption key at the level of an individual request for some Blob storage operations. When an encryption key is specified on the request, that key overrides the encryption key that is active on the storage account. For more information, see Specify a customer-provided key on a request to Blob storage.

For more information about encryption keys, see Azure Storage encryption for data at rest.

Check the encryption key model for the storage account

To determine whether a storage account is using Microsoft-managed keys or customer-managed keys for encryption, use one of the following approaches.

To check the encryption model for the storage account by using the Azure portal, follow these steps:

  1. In the Azure portal, navigate to your storage account.
  2. Select the Encryption setting and note the setting.

The following image shows a storage account that is encrypted with Microsoft-managed keys:

View account encrypted with Microsoft-managed keys

And the following image shows a storage account that is encrypted with customer-managed keys:

Screenshot showing encryption key setting in Azure portal

Next steps