We are planning to use a Storage API which will be accessed by some LoB Apps. Some apps will be using one Storage Account belonging to one Business Unit, other Apps will be using a different storage account if they are part of another BU
We are using CMK to encrypt our Storage Accounts. There will be PII and PCI data in the Storage Accounts. So i would like to know two things
1) Is it possible to encrypt data at rest at the Storage Account Container level instead of Storage Account Level or say is it possible to additionally implement encryption at the container level with CMK in addition to using SSE at the Storage Account level? Do i have to use Encryption Scope here and use "Container" as the encryption scope? If yes, can i change the scope for an already existing container say or this has to be done only when you create a new container?
2) If my super administrator is provided RBAC role say "Azure Storage Blob Data Contributor" and i have encryption enabled in my storage account with CMK, can the super administrator still read the Blob Data by having the Azure Storage Blob Data Contributor role? What i have noticed is when i encrypt using a CMK and when i go to the portal and open the file and then click on "Edit" it shows me that the file is encrypted. But when i download the file, i can see all the contents.
So is this by design? If someone can download the file and see the contents then how the Encryption at rest is applied to the blob then? Also, i have noticed if it's a JPEG file and i go to "Edit" in the portal for the blob, i can still see the JPG file, but i cannot see the file only if it's a .pdf or .doc, is that how it is supposed to be?