16 Mar 2018

“Bring your own key” for Azure Storage Encryption at Rest

On March 7th, Microsoft made SSE (Storage  Service Encryption) using your own keys GA (generally available).

This is greate news, as now everyone can create own managed keys to encrypt Azure Storage Accounts.  Azure Storage Accounts can be enabled with encryption at rest for quite a while, but till now, Microsoft owned the keys for the encryption.

SSE uses Azure Key Vault behind the scenes, a highly available and scalable secure storage for RSA cryptographic keys backed by either a Software Storage or FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs).





For more information on Azure KeyVault see here: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis



In the following example, I’ll show how to enable SSE on an Azure Storage Account using a fresh generates RSA Key with Azure PowerShell CMDLETs.

#Some parameters
$storageAccountName = 'lrswe01'
$keyvaultName = 'mirukv01'
$keyName = "storagekey$storageAccountName"
$rgName = 'RGWE'

#Assign SA Identity
Set-AzureRmStorageAccount -ResourceGroupName $rgName -Name $storageAccountName -AssignIdentity

#Enable Soft delete on KeyVault
($resource = Get-AzureRmResource -ResourceId (Get-AzureRmKeyVault -VaultName $keyvaultName).ResourceId).Properties | Add-Member -MemberType NoteProperty -Name enableSoftDelete -Value 'True'
Set-AzureRmResource -resourceid $resource.ResourceId -Properties $resource.Properties -Force
($resource = Get-AzureRmResource -ResourceId (Get-AzureRmKeyVault -VaultName $keyvaultName).ResourceId).Properties | Add-Member -MemberType NoteProperty -Name enablePurgeProtection -Value 'True'
Set-AzureRmResource -resourceid $resource.ResourceId -Properties $resource.Properties -Force

#Create a new RSA Key and store in KeyVault
$KeyOperations = 'encrypt','decrypt','wrapKey','unwrapKey'
$Expires = (Get-Date).AddYears(2).ToUniversalTime()
$NotBefore = (Get-Date).ToUniversalTime()
$Tags = @{'Sesitivity' = 'high'; 'owner' = 'drmiru'}
Add-AzureKeyVaultKey -VaultName $keyvaultName -Name $keyName -Expires $Expires -NotBefore $NotBefore -KeyOps $KeyOperations -Tag $Tags -Destination Software

#Enable SSE on Storage Account
$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName $rgName -AccountName $storageAccountName
$keyVault = Get-AzureRmKeyVault -VaultName $keyvaultName
$key = Get-AzureKeyVaultKey -VaultName $keyVault.VaultName -Name $keyName
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVault.VaultName -ObjectId $storageAccount.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
Set-AzureRmStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName -AccountName $storageAccount.StorageAccountName -EnableEncryptionService "Blob" -KeyvaultEncryption -KeyName $key.Name -KeyVersion $key.Version -KeyVaultUri $keyVault.VaultUri

For demo purposes I used “Software” for the destination of the RSA key. For production environments I highly recommend to use a premium SKU of KeyVault and store the key on a HSM. To do this, the only thing is to substitute the value of parameter -Destination with the value “HSM”.

Stay secure and encrypt your storage accounts, data is yours.