Rediger

Del via


Create an account that supports customer-managed keys for tables and queues

Azure Storage encrypts all data in a storage account at rest. By default, Queue storage and Table storage use a key that is scoped to the service and managed by Microsoft. You can also opt to use customer-managed keys to encrypt queue or table data. To use customer-managed keys with queues and tables, you must first create a storage account that uses an encryption key that is scoped to the account, rather than to the service. After you have created an account that uses the account encryption key for queue and table data, you can configure customer-managed keys for that storage account.

This article describes how to create a storage account that relies on a key that is scoped to the account. When the account is first created, Microsoft uses the account key to encrypt the data in the account, and Microsoft manages the key. You can subsequently configure customer-managed keys for the account to take advantage of those benefits, including the ability to provide your own keys, update the key version, rotate the keys, and revoke access controls.

Create an account that uses the account encryption key

You must configure a new storage account to use the account encryption key for queues and tables at the time that you create the storage account. The scope of the encryption key cannot be changed after the account is created.

The storage account must be of type general-purpose v2. You can create the storage account and configure it to rely on the account encryption key by using the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manager template.

To learn more about creating a storage account, see Create a storage account.

Note

Only Queue and Table storage can be optionally configured to encrypt data with the account encryption key when the storage account is created. Blob storage and Azure Files always use the account encryption key to encrypt data.

To create a storage account that relies on the account encryption key with the Azure portal, follow these steps:

  1. From the left portal menu, select Storage accounts to display a list of your storage accounts.

  2. On the Storage accounts page, select New.

  3. Fill in the fields on the Basics tab.

  4. On the Advanced tab, locate the Tables and Queues section, and select Enable support for customer-managed keys.

    Screenshot showing how to enable customer-managed keys for queues and tables when creating a new account

After you have created an account that relies on the account encryption key, you can configure customer-managed keys that are stored in Azure Key Vault or in Key Vault Managed Hardware Security Model (HSM). To learn how to store customer-managed keys in a key vault, see Configure encryption with customer-managed keys stored in Azure Key Vault. To learn how to store customer-managed keys in a managed HSM, see Configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM.

Verify the account encryption key

After you create the account, you can verify that the storage account is using an encryption key that is scoped to the account by using the Azure portal, PowerShell, or Azure CLI.

To verify that a service in a storage account is using an encryption key that is scoped to the account with the Azure portal, follow these steps:

  1. Navigate to your new storage account in the Azure portal.

  2. In the Security + Networking section, select Encryption.

  3. If the storage account was created to rely on the account encryption key, you'll see on the Encryption tab that customer-managed keys can be enabled for all four Azure Storage services: blobs, files, tables, and queues.

    Screenshot showing how to verify that the storage account is relying on the account encryption key

After you've verified that the storage account is using an encryption key that is scoped to the account, you can enable customer-managed keys for the account. All four Azure Storage services—blobs, files, tables, and queues—will then use the customer-managed key for encryption.

Pricing and billing

A storage account that is created to use an encryption key scoped to the account is billed for Table storage capacity and transactions at a different rate than an account that uses the default service-scoped key. For details, see Azure Table Storage pricing.

Next steps