iCompaas Support

Profile Applicability:
 Level 2

Description:
 Encrypting backup data in Azure Backup Vaults with Customer-Managed Keys (CMK) enables organizations to retain full control over the encryption keys protecting their backup data at rest. CMKs are stored in Azure Key Vault and provide enhanced security, key rotation, and compliance capabilities compared to service-managed keys.

Rationale:
 Using CMKs for backup data encryption strengthens data protection by allowing customers to manage key lifecycle, enforce key rotation, and control access policies. It helps meet regulatory and compliance requirements for key ownership and auditability, reducing risks associated with unauthorized access or key compromise.

Impact:

• Pros:
  

  • Enables centralized key management and rotation.
    

  • Enhances audit and compliance capabilities.
    

  • Provides separation of duties between key management and backup data control.
    

• Cons:
  

  • Requires additional operational effort to manage keys securely.
    

  • Potential risk of backup data becoming inaccessible if keys are lost or misconfigured.
    

  • May incur additional costs for Azure Key Vault usage.
    

Default Value:
 By default, backup data encryption uses Microsoft-managed keys unless CMK is configured.

Pre-requisites:

• Azure Key Vault configured with appropriate customer-managed keys.
  

• Access permissions granted to the Backup Vault to use the CMK.
  

• Administrative rights to configure encryption on Backup Vaults.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to https://portal.azure.com.
   

2. Open Recovery Services Vaults and select the target vault.
   

3. Go to Settings > Encryption or Backup Configuration.
   

4. Verify that the encryption is set to use Customer-Managed Keys.
   

5. Confirm the Key Vault and key URI configured for encryption.
   

Using Azure CLI:

1. Retrieve encryption settings for the Recovery Services Vault:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.encryption

2. Confirm that the keyUri field is set, indicating CMK usage.

Implementation Plan

Using Azure Portal:

1. Ensure a Key Vault and customer-managed key exist.
   

2. Assign appropriate access policies to the Recovery Services Vault identity for key usage.
   

3. Navigate to the vault’s Encryption settings.
   

4. Select Customer-Managed Key option and specify the Key Vault key URI.
   

5. Save and validate the configuration.
   

Using Azure CLI:

1. Assign Key Vault permissions to the vault identity:

az keyvault set-policy --name <keyvault-name> --object-id <vault-managed-identity-object-id> --key-permissions get wrapKey unwrapKey

2. Enable CMK encryption on the vault:

az backup vault encryption enable --resource-group <resource-group> --vault-name <vault-name> --key-uri <key-vault-key-uri>

Backout Plan

Using Azure Portal:

1. Switch encryption back to Microsoft-managed keys if needed.
   

2. Update or remove Key Vault access policies accordingly.
   

Using Azure CLI:

1. Disable CMK encryption:

az backup vault encryption disable --resource-group <resource-group> --vault-name <vault-name>

2. Adjust Key Vault policies as necessary.

References:

• Azure Backup Encryption with Customer-Managed Keys
  

• Configure CMK Encryption for Recovery Services Vault
  

• Azure Key Vault Overview