iCompaas Support

Description:

Customer-Managed Keys (CMKs) allow you to use your own encryption keys stored in Azure Key Vault to protect data in storage accounts. Using CMKs gives organizations full control over key rotation, key lifecycle, and access management, providing stronger protection for critical or sensitive data.

Rationale:

Encrypting critical data with CMKs provides better security and compliance than the default Microsoft-managed keys. CMKs allow you to manage, rotate, disable, or revoke access to the keys at any time, giving you full control over how sensitive data is protected.

Impact:

Enabling CMKs requires an Azure Key Vault, proper access policies, and careful key management. Misconfigurations may block access to data if keys are disabled or deleted. Some storage features may have limitations when using CMKs.

Default Value:

By default, storage accounts use Microsoft-managed keys for encryption, not customer-managed keys.

Pre-requisites:

• You must have Owner, Contributor, or Storage Account Contributor permissions.

• An Azure Key Vault must exist with a key created or imported.

• The storage account must have permission to access the Key Vault.
  
  

Test Plan:

1. Sign in to the Azure portal https://portal.azure.com

2. In the portal, search for Storage accounts and select the storage account you want to review.

3. Under Settings + Networking, go to Encryption.

4. In the Encryption Selection section, check the Encryption type.

5. Verify that Customer-managed keys is selected.

6. If Microsoft-managed keys are selected, follow the implementation plan.

Implementation Plan:

1. Sign in to the Azure portal at https://portal.azure.com.

2. Create or identify an existing Azure Key Vault that contains a valid key.

3. In the portal, search for Storage accounts and select the storage account.

4. Under Settings + Networking, open Encryption.

5. Change the Encryption type to Customer-managed keys.

6. Choose Select from key vault, pick your Key Vault and key, and set the identity to System-assigned.

7. Save the changes.

Backout Plan:

1. Sign in to the Azure portal https://portal.azure.com

2. In the portal, search for Storage accounts and select the storage account you want to review.

3. Under Settings + Networking, go to Encryption.

4. In the Encryption Selection section, change Encryption type to Microsoft-managed keys.

5. Save the changes.

Reference:

• https://learn.microsoft.com/azure/storage/common/storage-service-encryption

• https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview

• https://learn.microsoft.com/azure/key-vault/