Create customer-managed keys

Completed 100 XP

For your Azure Storage security solution, you can use Azure Key Vault to manage your encryption keys. The Azure Key Vault APIs can be used to generate encryption keys. You can also create your own encryption keys and store them in a key vault.

Things to know about customer-managed keys

Consider the following characteristics of customer-managed keys.

• By creating your own keys (referred to as customer-managed keys), you have more flexibility and greater control.

• You can create, disable, audit, rotate, and define access controls for your encryption keys.

• Customer-managed keys can be used with Azure Storage encryption. You can use a new key or an existing key vault and key. The Azure storage account and the key vault must be in the same region, but they can be in different subscriptions.

Configure customer-managed keys

In the Azure portal, you can configure customer-managed encryption keys. You can create your own keys, or you can have the keys managed by Microsoft. Consider how you might use Azure Key Vault to create your own customer-managed encryption keys.

• Encryption type: Choose how the encryption key is managed: by Microsoft or by yourself (customer).

• Encryption key: Specify an encryption key by entering a URI, or select a key from an existing key vault.

---

Next unit: Apply Azure Storage security best practices

Previous Next

Having an issue? We can help!

• For issues related to this module, explore existing questions using the #azure training tag or Ask a question on Microsoft Q&A.
• For issues related to Certifications and Exams, post on Certifications Support Forums or visit our Credentials Help.