How to create customer-managed keys (CMK) using Azure Key Vault

Creating customer-managed keys (CMK) in Azure involves using Azure Key Vault to generate and manage encryption keys.

These keys are then associated with a storage account to encrypt data.

Below is a step-by-step guide.

Prerequisites

1. Azure Subscription

You must have an active Azure subscription.

2. Permissions

• Azure AD role: Key Vault Contributor (to create and manage Key Vault).

• Key Vault access policy: Permissions for Key Management Operations.

3. Azure Storage Account

A storage account must already exist.

Create an Azure Key Vault

Using Azure Portal

1. Navigate to the .

2. Search for Key Vaults in the search bar and click Create.

3. Fill in the following details:

   • Resource Group: Select an existing group or create a new one.

   • Key Vault Name: Provide a unique name.

   • Region: Choose the same region as your storage account for optimal performance.

4. Click Review + Create and then Create.

Using Azure CLI

xxxxxxxxxx
4
1
az keyvault create \
2
--name <KeyVaultName> \
3
--resource-group <ResourceGroupName> \
4
--location <Location>

Generate or Import a Key in Key Vault

Option 1: Generate a New Key

Using Azure Portal

1. Go to your Key Vault.

2. Under Settings, click Keys > Generate/Import.

3. Select:

   • Options: Generate.

   • Key Type: RSA or EC.

   • RSA Key Size: 2048 or higher.

   • Key Name: Provide a name for the key.

4. Click Create.

Using Azure CLI

xxxxxxxxxx
4
1
az keyvault key create \
2
--vault-name <KeyVaultName> \
3
--name <KeyName> \
4
--protection software

Option 2: Import an Existing Key

1. Use an existing key in .pem or .pfx format.

2. Import via the Azure Portal or CLI:

xxxxxxxxxx
4
1
az keyvault key import \
2
--vault-name <KeyVaultName> \
3
--name <KeyName> \
4
--file <FilePath>

Grant Storage Account Access to Key Vault

To use the key, the Azure Storage service must have permission to access the Key Vault.

Using Azure Portal

1. In the Key Vault, go to Access policies.

2. Click Add Access Policy.

3. Configure:

   • Key Permissions: Select Get, Unwrap Key, Wrap Key.

   • Principal: Search for "Microsoft Storage" and select Storage Account Name.

4. Save the changes.

Using Azure CLI

xxxxxxxxxx
4
1
az keyvault set-policy \
2
--name <KeyVaultName> \
3
--object-id <StorageServicePrincipalID> \
4
--key-permissions get unwrapKey wrapKey

Configure the Storage Account to Use CMK

Using Azure Portal

1. Go to the Storage Account in the Azure Portal.

2. Under Settings, select Encryption.

3. Choose Customer-managed keys.

4. Click Select a key vault and key.

   • Select the Key Vault and the key you created earlier.

5. Save the configuration.

Using Azure CLI

xxxxxxxxxx
6
1
az storage account update \
2
--name <StorageAccountName> \
3
--resource-group <ResourceGroupName> \
4
--encryption-key-source Microsoft.Keyvault \
5
--encryption-key-vault <KeyVaultUri> \
6
--encryption-key-name <KeyName>

Test and Verify the Configuration

1. Go to the Storage Account and navigate to Encryption in the Azure Portal.

2. Confirm that:

   • Encryption type is set to Customer-managed keys.

   • The associated Key Vault and key are displayed.

Best Practices

Key Rotation

Enable key rotation policies in Key Vault to automate key updates.

Key Backup

Regularly back up your keys.

Key Versioning

Use versioned keys for controlled updates.

Summary

By following these steps, you can successfully create and configure customer-managed keys in Azure for secure storage account encryption.