Profile Applicability:

  •  Level 2

Description:
 Azure Elastic SAN volume groups support encryption at rest using either Microsoft-managed keys or Customer-Managed Keys (CMK) stored in Azure Key Vault. Configuring CMK for encryption enables customers to control key lifecycle, including creation, rotation, and revocation, enhancing data security and compliance.

Rationale:
 Using CMKs provides stronger security by giving organizations direct control over encryption keys. This allows for compliance with regulatory requirements, improved auditability, and separation of duties between data management and key management. It reduces risks associated with unauthorized key access or compromise.

Impact:

Pros:

  • Full control over encryption key lifecycle and access.

  • Enables key rotation and revocation per organizational policies.

  • Enhances compliance and audit capabilities.

Cons:

  • Increases operational overhead to manage keys securely.

  • Requires proper configuration and continuous monitoring to prevent service disruption.

  • May incur additional Azure Key Vault costs.

Default Value:
 By default, Azure Elastic SAN encrypts data using Microsoft-managed keys unless CMK is configured.

Pre-requisites:

  • Azure Key Vault configured with appropriate customer-managed keys.

  • Permissions granted to Azure Elastic SAN to access the Key Vault keys.

  • Administrative rights to configure encryption settings on Elastic SAN volume groups.

Remediation

Test Plan:

Using Azure Portal:

  1. Sign in to https://portal.azure.com.

  2. Navigate to the Azure Elastic SAN resource.

  3. Access the Encryption or Security settings.

  4. Verify that the encryption key source is set to Customer-Managed Key.

  5. Confirm the Key Vault key URI is correctly configured.

Using Azure CLI:

Retrieve Elastic SAN volume group encryption settings:

az storagesync sync-group show --resource-group <resource-group> --storage-sync-service-name <service-name> --name <volume-group-name> --query encryption.keyVaultProperties

Confirm keys are customer-managed and Key Vault URI is specified.

Implementation Plan

Using Azure Portal:

  1. Assign Key Vault access policies to allow Elastic SAN service access.

  2. Configure encryption settings to use the Customer-Managed Key from Azure Key Vault.

  3. Save and validate the configuration.

Using Azure CLI:

Assign Key Vault policy:

az keyvault set-policy --name <keyvault-name> --object-id <elastic-san-service-principal-id> --key-permissions get wrapKey unwrapKey

Update Elastic SAN encryption key source:

az storagesync sync-group update --resource-group <resource-group> --storage-sync-service-name <service-name> --name <volume-group-name> --encryption-key-vault-uri <key-vault-key-uri>

Backout Plan

Using Azure Portal:

  1. Revert encryption key source to Microsoft-managed keys if needed.

  2. Adjust Key Vault access policies accordingly.

Using Azure CLI:

Reset encryption to Microsoft-managed keys:

az storagesync sync-group update --resource-group <resource-group> --storage-sync-service-name <service-name> --name <volume-group-name> --encryption-key-vault-uri ""

References: