#Master key storage how to
To learn how to configure Azure Storage encryption with customer-managed keys in a key vault, see Configure encryption with customer-managed keys stored in Azure Key Vault. For more information about Microsoft-managed keys, see About encryption key management. You can switch between customer-managed keys and Microsoft-managed keys at any time. To learn more about system-assigned versus user-assigned managed identities, see Managed identities for Azure resources. When you configure customer-managed keys on an existing storage account, you can use either a user-assigned managed identity or a system-assigned managed identity.
When you configure customer-managed keys at the time that you create a storage account, you must use a user-assigned managed identity. The managed identity may be either a user-assigned or system-assigned managed identity: When you enable customer-managed keys, you must specify a managed identity to be used to authorize access to the key vault that contains the key. You can enable customer-managed keys on both new and existing storage accounts. When you enable or disable customer-managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account does not need to be re-encrypted. Enabling customer-managed keys does not impact performance, and takes effect immediately. When you configure a customer-managed key, Azure Storage wraps the root data encryption key for the account with the customer-managed key in the associated key vault or managed HSM. Enable customer-managed keys for a storage account You can optionally configure these services to be included in this protection at the time that you create the storage account.įor more information about how to create a storage account that supports customer-managed keys for queues and tables, see Create an account that supports customer-managed keys for tables and queues.ĭata in Blob storage and Azure Files is always protected by customer-managed keys when customer-managed keys are configured for the storage account. Customer-managed keys for queues and tablesĭata stored in Queue and Table storage is not automatically protected by a customer-managed key when customer-managed keys are enabled for the storage account. For more information, see the Storage section in Azure Policy built-in policy definitions. The managed identity that is associated with the storage account must have these permissions at a minimum to access a customer-managed key in Azure Key Vault:įor more information about key permissions, see Key types, algorithms, and operations.Īzure Policy provides a built-in policy to require that storage accounts use customer-managed keys for Blob Storage and Azure Files workloads. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations. Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault. 
Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Azure AD.An Azure Storage admin configures encryption with a customer-managed key for the storage account.The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account. An Azure Key Vault admin grants permissions to encryption keys to a managed identity.The following list explains the numbered steps in the diagram: The following diagram shows how Azure Storage uses Azure AD and a key vault or managed HSM to make requests using the customer-managed key: Azure Key Vault and Azure Key Vault Managed HSM support the same APIs and management interfaces for configuration.
0 kommentar(er)
