Profile Applicability:

  •  Level 2

Description:
 Azure NetApp Files supports encryption of data at rest using either Microsoft-managed keys or Customer Managed Keys (CMK) stored in Azure Key Vault. Setting the encryption key source to CMK enables organizations to maintain control over key lifecycle management, including rotation and revocation, enhancing data security and compliance.

Rationale:
 Using Customer Managed Keys provides stronger security and compliance guarantees by giving organizations full control over encryption keys. It enables auditability, supports regulatory requirements, and allows key management policies tailored to organizational needs, reducing risks related to unauthorized key access.

Impact:

Pros:

  • Full control over encryption key lifecycle, including rotation and revocation.

  • Enhanced compliance and audit capabilities.

  • Supports separation of duties between key management and data access.

Cons:

  • Increased operational overhead for key management.

  • Requires proper configuration and monitoring to avoid service disruption.

  • Potential additional costs for Azure Key Vault usage.

Default Value:
 By default, encryption keys are Microsoft-managed unless explicitly set to use CMK.

Pre-requisites:

  • Azure Key Vault with appropriate customer-managed keys.

  • Permissions to assign key access to the NetApp Files service principal.

  • Administrative rights to configure NetApp Files encryption settings.

Remediation

Test Plan:

Using Azure Portal:

  1. Navigate to https://portal.azure.com.

  2. Open the Azure NetApp Files account.

  3. Go to Encryption or Security settings.

  4. Verify that the Encryption Key Source is set to Customer Managed Key.

  5. Confirm the Key Vault URI and key name are correctly configured.

Using Azure CLI:

Retrieve the NetApp Files account encryption settings:

az netappfiles account show --resource-group <resource-group> --account-name <account-name> --query encryptionKeySource

  1. Confirm the value is Microsoft.KeyVault.

Implementation Plan:

Using Azure Portal:

  1. Assign necessary access policies on Azure Key Vault to the NetApp Files service principal.

  2. Update the NetApp Files account encryption settings to use the customer-managed key.

  3. Save and validate the configuration.

Using Azure CLI:

Assign Key Vault permissions:

az keyvault set-policy --name <keyvault-name> --object-id <netapp-service-principal-object-id> --key-permissions get wrapKey unwrapKey

Update NetApp Files account to use CMK:

az netappfiles account encryption-key-source update --resource-group <resource-group> --account-name <account-name> --encryption-key-source Microsoft.KeyVault --key-vault-key-uri <key-vault-key-uri>

Backout Plan

Using Azure Portal:

  1. Revert encryption key source to Microsoft-managed keys if needed.

  2. Remove or adjust Key Vault access policies accordingly.

Using Azure CLI:

Reset encryption key source:

az netappfiles account encryption-key-source update --resource-group <resource-group> --account-name <account-name> --encryption-key-source Microsoft.Storage

References: