AZ-500 Microsoft Azure Security Technologies Exam

Configure Bring your own key

Implement Customer-Managed Storage Encryption

Customer-Managed Keys (CMK) let you bring your own key to Azure Storage, giving you full control over your data’s encryption. By storing the key in Azure Key Vault or Managed HSM, you meet regulatory compliance and data sovereignty requirements while ensuring that the platform cannot decrypt your data without your permission. Key Vault integration separates key management from Azure’s built-in encryption, so only authorized identities can access and use the key. This approach strengthens data protection by keeping your cryptographic material under your direct oversight. It also allows you to audit every key operation and maintain an immutable record of access.

To configure CMK in the Azure portal, start with a new or existing storage account’s Encryption settings and follow a few key steps.

• Enable support for customer-managed keys for blobs, files, tables, or queues.
• Set Encryption type to Customer-managed keys (CMK).
• Choose the key by selecting Select a key vault and key or entering a specific Key URI.
• Assign a user-assigned identity with the least-privilege permissions to access the key.
  After making these selections, click Review and then Create (or Save) to apply the changes.

You can automate both setup and key rotation using PowerShell or the Azure CLI to keep your environment in good cryptographic health. For example:

• PowerShell:

  New-AzStorageAccount -ResourceGroupName $rgName -Name $accountName `
    -SkuName Standard_LRS -Location $location `
    -IdentityType SystemAssigned,UserAssigned `
    -UserAssignedIdentityId $userIdentity.Id `
    -KeyVaultUri $keyVault.VaultUri -KeyName $key.Name `
    -KeyVaultUserAssignedIdentityId $userIdentity.Id
  

• Azure CLI:

  az storage account create \
    --name $accountName \
    --resource-group $rgName \
    --location $location \
    --sku Standard_LRS \
    --kind StorageV2 \
    --identity-type SystemAssigned,UserAssigned \
    --user-identity-id $identityResourceId \
    --encryption-key-vault $keyVaultUri \
    --encryption-key-name $keyName \
    --encryption-key-source Microsoft.Keyvault \
    --key-vault-user-identity-id $identityResourceId
  

These commands also enable automatic key version updates, ensuring your keys rotate seamlessly without downtime.

If you prefer manual key version control, you can specify the full key URI with a version number when updating your storage account. First, use Get-AzKeyVaultKey to retrieve the new key version. Then apply it with Set-AzStorageAccount (PowerShell) or az storage account update (CLI), for example:

az storage account update \
  --name $accountName \
  --resource-group $rgName \
  --encryption-key-source Microsoft.Keyvault \
  --encryption-key-version $newVersion \
  --encryption-key-vault $keyVaultUri \
  --encryption-key-name $keyName \
  --key-vault-user-identity-id $identityResourceId

With manual updating, Azure Storage will use the specified version until you change it again.

To enforce least-privilege access and meet compliance standards, configure both Azure Key Vault access policies and Azure RBAC roles. Assign the Get, Unwrap Key, and Wrap Key permissions on the Key Vault to your storage account’s managed identity. Use built-in roles like Storage Account Key Operator Service Role for controlled key usage. Enable Soft Delete and Purge Protection on the Key Vault to prevent accidental key loss and maintain historical versions. Finally, set up an automated key rotation schedule in Key Vault to uphold ongoing cryptographic hygiene and simplify audit reporting.

Conclusion

In this section, you learned how to bring your own key to Azure Storage by using Customer-Managed Keys (CMK) in Azure Key Vault or Managed HSM. You saw how to configure encryption in the Azure portal, automate key setup and rotation with PowerShell or the Azure CLI, and manage manual key version updates. You also explored how to apply least-privilege access through RBAC roles and Key Vault policies, and underline the importance of features like Soft Delete and Purge Protection. By following these practices, you maintain complete control over your encryption keys, ensuring both security and compliance for your Azure Storage data.