Implementing Data at Rest Encryption in Azure Storage

Implementing Data at Rest Encryption in Azure Storage

03/01/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and configuring data encryption at rest in Azure Storage. Protecting stored data is a fundamental security measure. Azure Storage offers strong encryption by default with Microsoft Managed Keys (MMK), and allows the use of Customer Managed Keys (CMK) through Azure Key Vault for greater control [1].

Introduction

Encryption of data at rest ensures that stored data is protected from unauthorized access. In Azure, all data in Azure Storage is encrypted by default [2]. For organizations with strict compliance requirements, using CMK is essential as it grants full control over the lifecycle of encryption keys (creation, rotation, and revocation).

This guide will cover the configuration of both encryption models, with a focus on implementing and validating customer-managed keys.

Why is Data at Rest Encryption Crucial?

  • Protection against Unauthorized Access: Ensures that data is unreadable without the decryption key.
  • Regulatory Compliance: Helps meet regulations such as LGPD, GDPR, HIPAA, etc.
  • Key Control: With CMK, organizations maintain full control over encryption keys.

Prerequisites

  1. Active Azure Subscription.
  2. Administrative Access: Permissions to manage Storage Accounts and Key Vaults.
  3. Existing Azure Storage Account (StorageV2 preferred).
  4. Azure Key Vault to store CMKs.

Step by Step: Configuring Encryption

1. Encryption with Microsoft Managed Keys (Default)

This is the default and automatic setting. To check:

  1. Navigate to your Storage Account in the Azure portal.
  2. Under Security + Network, select Encryption.
  3. Confirm that the default Encryption Type is Microsoft Managed Keys.

2. Implementing Cryptography with Customer Managed Keys (CMK)

2.1. Create an Azure Key Vault and Key

  1. Create a new Azure Key Vault. Important: enable Purge Protection during creation.
  2. Inside Key Vault, navigate to Keys and click Generate/Import to create a new key (ex: storage-cmk-key).

2.2. Configure Storage Account Access

  1. Navigate to your Storage Account.
  2. Go to Encryption and change the Encryption Type to Customer Managed Keys.
  3. Select the option to use a key from Key Vault. When you do this, Azure will prompt you to create a managed identity for the storage account. Allow.
  4. Now, go back to your Key Vault and go to Access Policies.
  5. Create a new access policy. Grant the Get, Wrap Key, and Unwrap Key key permissions.
  6. In the Security Principal step, search for and select the managed identity for your storage account.
  7. Save the access policy.

2.3. Configure the Storage Account to Use CMK

  1. Return to the Encryption page for your storage account.
  2. Select the Key Vault and the key you created.
  3. Save changes. From now on, all data recorded in the account will be encrypted with your key.

Validation and Testing

1. Testing Data Access

After configuring the CMK, upload and download a file. The operation must be transparent.

# Load a test file
az storage blob upload --account-name <storage_account> -c <container> -n "test.txt" -f "local/path/to/test.txt" --auth-mode login

# Download the test file
az storage blob download --account-name <storage_account> -c <container> -n "test.txt" -f "local/path/to/downloaded.txt" --auth-mode login

2. Testing Key Access Revocation

This is the most critical test for CMK.

  1. In your Key Vault, navigate to the key being used.
  2. Click the current key version and change the Enabled setting to No.
  3. Wait a few minutes.
  4. Try accessing the data in your storage account (e.g. try downloading the blob again).
  5. Expected Result: The operation should fail with an access denied error (403 Forbidden), proving that you have full control over data access.
  6. Don't forget to re-enable the key to restore access.

Key Rotation

Key rotation is an essential security practice. With CMK, you have two options:

  • Manual Rotation: Create a new version of the key in Key Vault and update the encryption configuration in the storage account to point to the new version.
  • AutoRotation: When configuring the CMK on the storage account, do not specify a key version. The storage account will check Key Vault periodically and automatically use the latest version of the key [3].

Best Practices

  • Enable Wipe Protection and Soft Deletion in your Key Vault to protect your keys from accidental or malicious deletion.
  • Use Managed Identities to allow the storage account to access Key Vault. It is safer than using other methods.
  • Monitor Key Vault Activity: Use Key Vault diagnostic logs to audit who is accessing your keys and when.
  • Require Secure Transfer (HTTPS): When setting up your storage account, always require secure transfer to encrypt data in transit.

Conclusion

Encrypting data at rest in Azure Storage is a fundamental layer of defense. While Microsoft-managed keys provide security by default with zero effort, customer-managed keys (CMK) provide the level of control and assurance required by many organizations to meet stringent security and compliance requirements. By mastering CMK implementation and management, you ensure your data remains protected and under your control.

References

[1] Microsoft. (2023). Overview of Azure Storage encryption. [2] Microsoft. (2023). Azure Storage Service encryption for data at rest. [3] Microsoft. (2023). Customer-managed keys for Azure Storage encryption.