Configure customer-managed keys with Azure Key Vault by using the Azure portal

Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption of blob and file data.

Customer-managed keys must be stored in an Azure Key Vault. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault must be in the same region, but they can be in different subscriptions. For more information about Azure Storage encryption and key management, see Azure Storage encryption for data at rest. For more information about Azure Key Vault, see What is Azure Key Vault?

This article shows how to configure an Azure Key Vault with customer-managed keys using the Azure portal. To learn how to create a key vault using the Azure portal, see Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal.

Configure Azure Key Vault

Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, Soft Delete and Do Not Purge. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.

To learn how to enable these properties on an existing key vault, see the sections titled Enabling soft-delete and Enabling Purge Protection in one of the following articles:

Only RSA keys of size 2048 are supported with Azure Storage encryption. For more information about keys, see Key Vault keys in About Azure Key Vault keys, secrets and certificates.

Enable customer-managed keys

To enable customer-managed keys in the Azure portal, follow these steps:

  1. Navigate to your storage account.

  2. On the Settings blade for the storage account, click Encryption. Select the Use your own key option, as shown in the following figure.

    Portal screenshot showing encryption option

Specify a key

After you enable customer-managed keys, you'll have the opportunity to specify a key to associate with the storage account.

Specify a key as a URI

To specify a key as a URI, follow these steps:

  1. To locate the key URI in the Azure portal, navigate to your key vault, and select the Keys setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.

  2. Copy the value of the Key Identifier field, which provides the URI.

    Screenshot showing key vault key URI

  3. In the Encryption settings for your storage account, choose the Enter key URI option.

  4. Paste the URI that you copied into the Key URI field.

    Screenshot showing how to enter key URI

  5. Specify the subscription that contains the key vault.

  6. Save your changes.

Specify a key from a key vault

To specify a key from a key vault, first make sure that you have a key vault that contains a key. To specify a key from a key vault, follow these steps:

  1. Choose the Select from Key Vault option.

  2. Select the key vault containing the key you want to use.

  3. Select the key from the key vault.

    Screenshot showing customer-managed key option

  4. Save your changes.

Update the key version

When you create a new version of a key, update the storage account to use the new version. Follow these steps:

  1. Navigate to your storage account and display the Encryption settings.
  2. Enter the URI for the new key version. Alternately, you can select the key vault and the key again to update the version.
  3. Save your changes.

Use a different key

To change the key used for Azure Storage encryption, follow these steps:

  1. Navigate to your storage account and display the Encryption settings.
  2. Enter the URI for the new key. Alternately, you can select the key vault and choose a new key.
  3. Save your changes.

Disable customer-managed keys

When you disable customer-managed keys, your storage account is then encrypted with Microsoft-managed keys. To disable customer-managed keys, follow these steps:

  1. Navigate to your storage account and display the Encryption settings.
  2. Deselect the checkbox next to the Use your own key setting.

Next steps