question

pallab avatar image
0 Votes"
pallab asked deherman-MSFT answered

Azure Storage Encryption at the Storage Container Level

We are planning to use a Storage API which will be accessed by some LoB Apps. Some apps will be using one Storage Account belonging to one Business Unit, other Apps will be using a different storage account if they are part of another BU
We are using CMK to encrypt our Storage Accounts. There will be PII and PCI data in the Storage Accounts. So i would like to know two things

1) Is it possible to encrypt data at rest at the Storage Account Container level instead of Storage Account Level or say is it possible to additionally implement encryption at the container level with CMK in addition to using SSE at the Storage Account level? Do i have to use Encryption Scope here and use "Container" as the encryption scope? If yes, can i change the scope for an already existing container say or this has to be done only when you create a new container?

2) If my super administrator is provided RBAC role say "Azure Storage Blob Data Contributor" and i have encryption enabled in my storage account with CMK, can the super administrator still read the Blob Data by having the Azure Storage Blob Data Contributor role? What i have noticed is when i encrypt using a CMK and when i go to the portal and open the file and then click on "Edit" it shows me that the file is encrypted. But when i download the file, i can see all the contents.
So is this by design? If someone can download the file and see the contents then how the Encryption at rest is applied to the blob then? Also, i have noticed if it's a JPEG file and i go to "Edit" in the portal for the blob, i can still see the JPG file, but i cannot see the file only if it's a .pdf or .doc, is that how it is supposed to be?

azure-storage-accountsazure-blob-storageazure-disk-encryption
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

deherman-MSFT avatar image
0 Votes"
deherman-MSFT answered

@pallab
Yes, you can have an encryption scope apply to a specific container. You simply need to create an encryption scope. After the encryption scope is created when you create a container, you can specify a default encryption scope for the blobs that are subsequently uploaded to that container. You cannot change or add a default encryption scope for a container after it is created. For more information see Encryption scopes for containers and blobs.

Your super administrator would need access to the encryption key to view the data or download the blobs. If they do not have access to the proper encryption key then they would not be able to read or download the blob. When you download the file it will no longer be subject to encryption and can be read by anyone. I recommend reading About customer-managed keys and Azure Storage encryption for data at rest for a better understanding of how it works.



Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.