Configure storage account encryption

Configure and manage storage accounts

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What Is Azure Storage Encryption?

Azure Storage uses encryption at rest to automatically protect your data.
This means the data stored in Azure Storage (Blob, Files, Queues, Tables, Disks) is encrypted before it is written to the storage service.

Azure uses 256-bit AES encryption, which is an industry standard and approved by Microsoft for FIPS 140-2 compliance.

Important exam points:

  • Encryption at rest is enabled by default.
  • You cannot disable encryption.
  • There is no extra cost for default encryption.

2. Two Major Types of Encryption for Storage Accounts

Azure supports two key approaches:

A. Service-managed keys (SMK) — Default

  • Azure automatically manages the encryption keys.
  • No configuration required.
  • Azure rotates the keys automatically.
  • Recommended for most workloads unless compliance requires custom keys.

Exam fact:
Service-managed keys use Microsoft-managed keys stored in Azure Key Vault infrastructure.

B. Customer-managed keys (CMK)

CMK allows you to control the encryption keys using your own key in Azure Key Vault or Azure Key Vault Managed HSM.

Use CMK when:

  • Your organization has strict compliance rules.
  • You need full control over key rotation.
  • You require logging and auditing for key access.

Requirements for enabling CMK:

  1. A Key Vault or Managed HSM that supports soft delete and purge protection.
  2. A storage account that uses encryption scopes or full account-level encryption.
  3. Proper permissions:
    • Storage account must have the “wrapKey” and “unwrapKey” permissions on the Key Vault.
    • Use managed identity to access the key.

Key concepts:

  • Key rotation
    You can rotate keys manually or automatically.
  • Key versioning
    When you rotate a key, a new version appears. Storage must be updated to use the new version unless auto-rotation is configured.

3. Encryption Scopes (Important for AZ-104)

Azure allows encryption at two levels:

A. Storage Account-level Encryption (default)

All containers, file shares, and objects use the same encryption key.

B. Encryption Scopes

Allows setting encryption on:

  • Individual containers
  • Individual blob objects

This gives better security isolation.

Benefits:

  • You can apply CMK to specific workloads.
  • You can mix SMK and CMK in the same storage account.

When to use encryption scopes:

  • Different teams share the same storage account but require different encryption keys.
  • Only specific data requires CMK for compliance reasons.

4. Infrastructure Encryption (Double Encryption)

Infrastructure encryption adds an extra layer of encryption on top of the default encryption.

What it does:

  • Encrypts data twice, using two independent keys.
  • Provides additional protection against a data compromise on the backend storage infrastructure.

Requirements:

  • Must be enabled when creating the storage account.
  • Cannot be enabled or disabled after creation.
  • Only available on certain redundancy options (like GRS, sometimes LRS depending on region).

Exam tip:

Infrastructure encryption = double encryption.
Must be turned on during creation, cannot be changed later.

5. Encryption in Transit

AZ-104 also expects you to know encryption during data transfer.

Azure Storage provides:

  • HTTPS (TLS) required for secure access
  • Can block all HTTP traffic (recommended)
  • Supports SMB encryption for Azure Files (SMB 3.0+)

SMB encryption:

  • Encrypts data transferred between on-prem servers and Azure File shares.
  • Required when mounting Azure Files over secure networks.

6. How to Configure Customer-Managed Keys (Step-by-Step)

Below is a simplified IT-focused workflow that is exam-relevant.

Step 1: Create an Azure Key Vault

  • Enable soft delete
  • Enable purge protection

Step 2: Create or import a key

  • Choose RSA keys (2048-bit minimum)

Step 3: Assign permissions

Grant Storage Account managed identity these permissions:

  • wrapKey
  • unwrapKey
  • get

Step 4: Go to the Storage Account → Encryption

Choose:

  • Customer-managed key
  • Select your Key Vault and key

Step 5: Save

After this, all new data written to your storage account will use your CMK.

7. How Key Rotation Works

For the exam:

With SMK:

  • Azure auto-rotates
  • No user action required

With CMK:

  • Customer rotates the key in Key Vault
  • You can choose:
    • manual rotation
    • auto-rotation (Key Vault feature)
  • Storage account detects the new version if configured for auto-update

8. Azure Disk Encryption (Related But Separate)

Note:
This is not the same as storage account encryption but is often tested in combination.

  • Uses DM-Crypt for Linux
  • Uses BitLocker for Windows
  • Managed via Azure Disk Encryption (ADE)
  • Can use CMK from Key Vault

However, for storage accounts, encryption is automatic and works at storage-service layer, not at VM/disk OS layer.

9. Frequently Tested Exam Scenarios

Scenario 1:

Your company requires full control of encryption keys.
Solution: Enable CMK using Azure Key Vault.

Scenario 2:

Data must be encrypted twice for compliance.
Solution: Enable infrastructure encryption (must be done at storage account creation).

Scenario 3:

Different containers need different keys.
Solution: Use encryption scopes.

Scenario 4:

You need to prevent HTTP connections to Azure Storage.
Solution: Enable HTTPS-only.

Scenario 5:

You need encrypted communication when mounting Azure Files from on-premises.
Solution: Use SMB encryption (SMB 3.0+).

10. Summary for Your Website (Easy to Understand)

FeatureDescriptionKey Exam Points
Encryption at RestProtects stored dataAlways on; AES-256
Service-Managed KeysDefault keys managed by MicrosoftNo configuration needed
Customer-Managed KeysOrganization controls keysRequires Key Vault + permissions
Encryption ScopesSet encryption per container/blobAllows mixing SMK + CMK
Infrastructure EncryptionDouble encryptionMust enable on creation
Encryption in TransitHTTPS, SMB encryptionHTTPS-only recommended
Key RotationUpdating encryption keysAutomatic for SMK; manual or automatic for CMK

Final Notes for AZ-104 Success

  • Know the difference between SMK, CMK, and encryption scopes.
  • Understand how Azure Key Vault integrates with storage encryption.
  • Know that encryption is always enabled and cannot be turned off.
  • Know that infrastructure encryption cannot be changed after creation.
  • Understand permissions needed for CMK.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by