Configure encryption with customer-managed keys stored in Azure Key Vault

Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can manage your own keys. Customer-managed keys must be stored in Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview).

This article shows how to configure encryption with customer-managed keys stored in a key vault by using the Azure portal, PowerShell, or Azure CLI. To learn how to configure encryption with customer-managed keys stored in a managed HSM, see Configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM (preview).

Note

Azure Key Vault and Azure Key Vault Managed HSM support the same APIs and management interfaces for configuration.

Configure a key vault

You can use a new or existing key vault to store customer-managed keys. The storage account and the key vault must be in the same region, but they can be in different subscriptions.

Using customer-managed keys with Azure Storage encryption requires that both soft delete and purge protection be enabled for the key vault. Soft delete is enabled by default when you create a new key vault and cannot be disabled. You can enable purge protection either when you create the key vault or after it is created.

To learn how to create a key vault with the Azure portal, see Quickstart: Create a key vault using the Azure portal. When you create the key vault, select Enable purge protection, as shown in the following image.

Screenshot showing how to enable purge protection when creating a key vault

To enable purge protection on an existing key vault, follow these steps:

  1. Navigate to your key vault in the Azure portal.
  2. Under Settings, choose Properties.
  3. In the Purge protection section, choose Enable purge protection.

Add a key

Next, add a key in the key vault.

Azure Storage encryption supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096. For more information about keys, see About keys.

To learn how to add a key with the Azure portal, see Quickstart: Set and retrieve a key from Azure Key Vault using the Azure portal.

Configure encryption with customer-managed keys

Next, configure your Azure Storage account to use customer-managed keys with Azure Key Vault, then specify the key to associate with the storage account.

When you configure encryption with customer-managed keys, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault. Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.

Note

To rotate a key, create a new version of the key in Azure Key Vault. Azure Storage does not handle the rotation of the key in Azure Key Vault, so you will need to rotate your key manually or create a function to rotate it on a schedule.

Configure encryption for automatic updating of key versions

Azure Storage can automatically update the customer-managed key that is used for encryption to use the latest key version. When the customer-managed key is rotated in Azure Key Vault, Azure Storage will automatically begin using the latest version of the key for encryption.

To configure customer-managed keys with automatic updating of the key version in the Azure portal, follow these steps:

  1. Navigate to your storage account.

  2. On the Settings blade for the storage account, click Encryption. Select the Customer Managed Keys option, as shown in the following image.

    Portal screenshot showing encryption option

  3. Choose the Select from Key Vault option.

  4. Select Select a key vault and key.

  5. Select the key vault containing the key you want to use.

  6. Select the key from the key vault.

    Screenshot showing how to select key vault and key

  7. Save your changes.

After you've specified the key, the Azure portal indicates that automatic updating of the key version is enabled and displays the key version currently in use for encryption.

Screenshot showing automatic updating of the key version enabled

Configure encryption for manual updating of key versions

If you prefer to manually update the key version, then explicitly specify the version at the time that you configure encryption with customer-managed keys. In this case, Azure Storage will not automatically update the key version when a new version is created in the key vault.To use a new key version, you must manually update the version used for Azure Storage encryption.

To configure customer-managed keys with manual updating of the key version in the Azure portal, specify the key URI, including the version. To specify a key as a URI, follow these steps:

  1. To locate the key URI in the Azure portal, navigate to your key vault, and select the Keys setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.

  2. Copy the value of the Key Identifier field, which provides the URI.

    Screenshot showing key vault key URI

  3. In the Encryption key settings for your storage account, choose the Enter key URI option.

  4. Paste the URI that you copied into the Key URI field. Omit the key version from the URI to enable automatic updating of the key version.

    Screenshot showing how to enter key URI

  5. Specify the subscription that contains the key vault.

  6. Save your changes.

Change the key

You can change the key that you are using for Azure Storage encryption at any time.

To change the key with the Azure portal, follow these steps:

  1. Navigate to your storage account and display the Encryption settings.
  2. Select the key vault and choose a new key.
  3. Save your changes.

Revoke customer-managed keys

Revoking a customer-managed key removes the association between the storage account and the key vault.

To revoke customer-managed keys with the Azure portal, disable the key as described in Disable customer-managed keys.

Disable customer-managed keys

When you disable customer-managed keys, your storage account is once again encrypted with Microsoft-managed keys.

To disable customer-managed keys in the Azure portal, follow these steps:

  1. Navigate to your storage account and display the Encryption settings.
  2. Deselect the checkbox next to the Use your own key setting.

Next steps