question

Rahul-8658 avatar image
0 Votes"
Rahul-8658 asked SaiKishor-MSFT edited

Blob Encryption

How do I enable CMK encryption for the activity log storage container using the portal? If I enable CMK encryption while creating a storage acc or after creating it, does it apply to all the blob containers as well?

azure-storage-accountsazure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndriyBilous avatar image
0 Votes"
AndriyBilous answered SaiKishor-MSFT edited

Hello @Rahul-8658

When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data in Blob storage, Azure Files, Tables and Queues.
You need to use Encryption scopes to manage encryption at the level of an individual blob or container.
You can create Encryption scopes in Azure Portal:
1. Navigate to your storage account in the Azure portal.
2. Select the Encryption setting.
3. Select the Encryption Scopes tab.
4. Click the Add button to add a new encryption scope.
5. In the Create Encryption Scope pane, enter a name for the new scope.
6. Select the desired type of encryption key support, Customer-managed keys.
7. Select a subscription and specify a key vault or a managed HSM and a key to use for this encryption scope.
186944-image.png

https://docs.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

When you create a container, it will automatically select an encryption scope, but you can’t change the encryption scope after the container is created since the encryption scope when created is already defined by the encryption parameters, i.e., Microsoft-managed default keys or Customer managed keys.

You can select the customer managed key encryption scope at the time of creating a container or blob as shown in the screenshot below.
186992-image.png
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?toc=%2Fazure%2Fstorage%2Fqueues%2Ftoc.json&tabs=portal



image.png (27.3 KiB)
image.png (35.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, I was following the steps shown by AndriyBilous. I closely follow a website called trend micro cloud conformity when it comes to cspm.
Now, the check I'm supposed to write the code for is "Ensures BYOK encryption is properly configured in the Activity Log Storage Account"

This is how they did it https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Monitor/use-byok-for-activity-log-storage-container-encryption.html
Please check this link out.

Now the problem is, I don't really know how they're doing it since I'm new to azure. I did enable customer managed keys. But they create some sort of diagnostic or activity log which I don't seem to understand.

This is pretty much needed as evident from the the check "Ensures BYOK encryption is properly configured in the Activity Log Storage Account". I am not sure how to create the activity log on the portal for the storage account.

Would you help me out with this?

0 Votes 0 ·

@Rahul-8658 Thank you for reaching out to Microsoft Q&A.

From your description, you are referring to the Activity Log storage container. The article that you shared also talks about the same thing i.e., the storage account where the activity logs are exporting to. Please let me know what exactly you are confused about so I can assist better. Thank you!

0 Votes 0 ·