AZ-104 Microsoft Azure Administrator Exam
You're a great admin... on-prem. Now, become a great admin in the cloud and prove it by passing the Microsoft Certified: Azure Administrator Associate exam!
Practice Test
Practice Test
Configure storage account encryption
Configure Encryption Settings for Storage Accounts
Azure Storage Service Encryption (SSE) is a crucial feature that ensures all data stored in Azure is encrypted by default using Microsoft-managed keys. This basic level of security protects your data at rest without requiring further configuration. However, for businesses needing more control over their encryption processes and compliance with specific regulatory standards, Azure offers configuration options using customer-managed keys (CMK) with Azure Key Vault.
Customer-Managed Keys (CMK)
Customer-managed keys provide a higher degree of flexibility and control over the encryption keys used to secure data. These keys allow an organization to create, rotate, disable, and revoke access, supporting audits and detailed encryption management. To use CMK, you must set up an Azure Key Vault with the Soft Delete and Do Not Purge properties. These properties are essential as they enable recovery of keys if inadvertently deleted, ensuring nothing is permanently lost.
Enabling Customer-Managed Keys
To start using customer-managed keys for your storage account, follow these straightforward steps:
- Navigate to your storage account within the Azure portal.
- Under Security + networking, select Encryption.
- Change the Encryption type to Customer-managed keys.
- Enter the key vault and key details required.
Alternatively, Azure PowerShell or Azure CLI can be used for configuration. In PowerShell, the `Set-AzStorageAccount` command complemented by `-StorageEncryption` facilitates these changes. In Azure CLI, the `az storage account update` command, combined with the `--encryption-key-source` parameter set to `Microsoft.KeyVault`, is a similarly effective method.
Infrastructure Encryption
To further enhance security, infrastructure encryption can be enabled for an additional layer of protection through double encryption. This feature employs two layers: one with platform-managed keys and the other with customer-managed keys. When creating a new storage account, include the `-RequireInfrastructureEncryption` option using either Azure PowerShell or Azure CLI to activate this added security measure.
Compliance and Security
Utilizing customer-managed keys and infrastructure encryption significantly bolsters security, aiding compliance with stringent regulatory requirements. This added control over encryption keys provides the ability to conduct audits and manage key access comprehensively. For organizations demanding high standards for data protection, these features are indispensable.
Conclusion
Configuring encryption settings for Azure storage accounts primarily involves the automatic encryption offered by Azure Storage Service Encryption and enabling customer-managed keys for additional control. Enabling infrastructure encryption adds an extra security layer through double encryption, crucial for complying with rigorous data standards and safeguarding sensitive information effectively.