Description:

Customer Managed Keys (CMK) allow organizations to manage their own encryption keys for data stored in Azure. This provides an added layer of security and control, as the organization is responsible for key management, key rotation, and ensuring that only authorized users or services can access the encryption keys. CMK is used to encrypt critical data at rest, giving organizations more control over their data security.

Rationale:

Using Customer Managed Keys gives organizations full control over their encryption keys. This is particularly important for organizations with strict compliance requirements or those that want to retain control over their cryptographic operations. CMK helps meet regulatory compliance standards such as GDPR, HIPAA, and other data protection regulations by ensuring that data is encrypted and that keys are managed by the organization.

Impact:

Enabling CMK for data encryption ensures that the organization has full control over the encryption keys. However, it also means the organization is responsible for managing the lifecycle of the keys, including key rotation, access controls, and auditing. Incorrect key management practices can lead to data inaccessibility or security vulnerabilities, so careful management is required.

Default Value:

By default, encryption is managed with Microsoft Managed Keys (MMK). Customer Managed Keys (CMK) must be manually configured.

Pre-requisites:

  • Azure account.

  • Azure Key Vault configured for key management.

  • The user must have the necessary permissions to manage encryption keys (e.g., Key Vault Admin, Storage Admin).

Audit:

  1. Sign in to the Azure portal as a Key Vault Admin, Storage Admin, or user with appropriate permissions.

  2. Navigate to the Azure Storage Account, Key Vault, or other services where critical data is stored.

  3. Review the Encryption settings and verify that Customer Managed Keys (CMK) are in use for data encryption.

Implementation Steps:

  1. Sign in to the Azure portal as a Key Vault Admin or Storage Admin.

  2. Navigate to Key Vault and create a new key or select an existing key for encryption.

  3. Navigate to the Azure Storage Account or relevant service where critical data is stored.

  4. Under Encryption settings, select Customer Managed Keys and specify the Key Vault and the key to use for encryption.

  5. Save the changes to ensure that the data is encrypted using the customer-managed key.

Backout Plan:

  1. Sign in to the Azure portal as a Key Vault Admin, Storage Admin, or other authorized user.

  2. Navigate to the Azure Storage Account, Key Vault, or relevant service.

  3. Under Encryption settings, switch from Customer Managed Keys to Microsoft Managed Keys or another preferred encryption method.

  4. Save the changes to revert to the default encryption configuration.

References: