Configuring Shared Encryption Keys

00:00

and this next lesson, we're gonna talk about how we can configure our shared encryption keys for storage accounts.

00:07

Our objectives include we're gonna talk about storage account encryption in general.

00:12

We'll talk about encryption, key management

00:15

and finally, as always, will jump out to the azure portal and take a look at a demo of how we can work with these inside of our storage account.

00:22

So first, let's talk about storage account encryption. In general,

00:26

our storage counts are automatically encrypted,

00:28

and it's transparent to us. When it does the encryption and decryption,

00:33

they're encrypted with 256 bit A AES encryption,

00:37

and the encryption technology is Phipps 1 40 dash to compliant so you can see your data is gonna be super secure. And this meets probably quite a few of your regulatory requirements.

00:47

Now, storage counts are encrypted by default, so there's nothing you have to do to enable this service for you. And this is gonna be regardless of your performance tear. If it's standard or premium,

00:57

or whether you deployed using the newer azure resource manager or arm service, or the classic deployment and all of our azure storage redundancy option support encryption, and every copy of your storage account is encrypted. So basically saying it's enabled by default and

01:15

all your stuff is gonna be encrypted no matter which service or tear you

01:18

choose.

01:19

This includes the Blob's disk files, cues and tables and even the object. Meta data is also encrypted, and what's great is all this encryption comes at no additional cost to you.

01:30

So let's talk about encryption key management.

01:34

Our storage accounts are automatically encrypted using keys managed by Microsoft

01:38

and this automatic encryption and the key management is available for all of our azure storage services.

01:45

These keys are stored in a Microsoft key store, and Microsoft is also responsible for rotating these keys. Periodically

01:52

have worthies. Keys are only accessible to Microsoft, so this may not meet your regulatory requirements if you need to know the keys or be able to manage them yourself.

02:01

So this is where our next encryption key management option comes into play.

02:07

You do have the option of bringing your own key to your storage account for encryption.

02:13

This means this is customer managed, but it's only available for encrypting your blob storage or azure files

02:20

que and table will always used Microsoft managed encryption keys.

02:24

Another option you also have is a customer provided key for your blob storage operations so you can write an application and have your own encryption key when you access your blob storage for encryption or decryption inside your application operations.

02:39

If you're going to use customer managed keys, you're gonna have to store the key out in an azure key vote, and we'll take a look in our demo on how to create one and use it for our encryption keys.

02:50

This is where you, as the customer, come into responsibility for rotating those keys and managing them. As Microsoft is not going to do this for you anymore.

03:00

That doesn't for some of our concepts. Let's jump out to the azure portal, where we're first going to create an azure key vault to store our own encryption keys,

03:08

and then we're gonna switch our storage account encryption to that key that we just created.

03:13

Let's go out to the azure portal now.

03:16

Here we are, back in the azure portal, and before we go look at our storage account, we need to create an azure key vault to store our customer managed keys slips select. Create a resource.

03:25

We'll search fork evil selected here from the menu and go ahead and click on Create.

03:32

Now, when creating the key vault, I'm going to put it in the same resource group as the rest of our demos here.

03:38

And our ki volt name needs to be globally unique all across azure, just like our storage account. So I'm going to name it J B T storage account Dash cavey for Ki Volt. I'm also going to select the east US region because our Ki Volt needs to be in the same region as our storage account. If we're gonna use customer managed keys like this,

03:58

key votes have to price in tears. I'm gonna leave it at standard. The only thing we get for with premium is we can use hardware, security module or HSM back keys.

04:06

And I'm also going to enable perch protection and leave soft elite at enabled as well.

04:12

If I didn't enable these, it would automatically be turned on for our key vault. When we associate id our storage account with our customer manage keys,

04:20

let's go and review and create and click the create button.

04:25

This is gonna take a few minutes to deploy, so I'm gonna posit video and we'll come back when it's done

04:31

with our ki Volt deployed. Let's go ahead and select Go to Resource

04:35

And inside of our Ki Volt here, the first thing I would look at under settings is Let's go and check out our access policies,

04:44

and I just want to point out inside the access policies. My account is the only one that has permissions to it. But after we configure the storage account to use our customer managed keys inside the ski vault, it will also have permissions.

04:56

Let's go into keys

04:58

and let's go ahead and generate our key that we're going to use for a storage account.

05:01

We'll go ahead and give it a name. We'll name it the name of the storage account so we know which resource it's associated with.

05:09

We have two different key types are say in the sea and a couple of key sizes. If we wanted to customize this,

05:15

we can also set activation and expiration dates for our keys and let's go and keep it at, enabled and create our custom key here with our key. Let's go back to the home screen and go into R J B T 2020 storage account

05:28

and under settings. Let's check out encryption, and right now the encryption type is set to Microsoft Manage skis.

05:33

But if we select the other radio button for a customer manage keys, we can either enter the key. Your I, which does, is a unique identifier for the key vault in the key we want to use. Or we can select the radio button for Select From Ki Volt and select the link. Here

05:48

we'll go select the key vole. Under this subscription,

05:53

we can select the drop down to select our key

05:55

and finally the version.

05:58

Let's click the select button.

06:00

We see our all of our options there and let's save it

06:03

and successful. We're now using our key down here from our key vault to encrypt our storage account with our own key. So let's go back to home.

06:13

We'll select our key vote here from our recent resource is

06:15

and I want to go into access policies,

06:18

and sometimes it doesn't show up right away. So let's click Refresh,

06:23

and we can now see r J. P. T. 2020 is listed as having access to this key vault. And for key permissions, it can get keys and wrapped and unwrapped the keys in order to access it.

06:33

Let's go back to keys here.

06:35

Select our key that we created,

06:38

and let's go and select a new version. Let's rotate are key here and see what that looks like.

06:43

Leave all our options at the default. Go and create another version. You can see our current version starts with C C 66 and are older. One is 5 to 6. Not sure why we got two current versions there, but if I refresh, it'll just go back to one. Let's go back to the home screen. We'll go into our storage account

07:00

back under settings and encryption on Let's Rotate to our new Key

07:03

will select Change Key

07:06

again. We'll select from vault

07:09

and choose our little link here. Go back, choose our key vault are key and now under here we have two versions are 5 to 6 is the older one, and cc 66 is the new one.

07:19

We'll select it.

07:21

Save

07:24

and we've successfully rotated are key for encryption on our storage account. That does it for our demo. Let's jump back to the slides and wrap this up.

07:32

That does it for this lesson. Where we talked about storage account encryption in general, we talked about Microsoft managed keys and how those are automatically applied to our storage account services.

07:43

Well said the option of providing our own key and storing it inside or a jerk evil

07:47

and then also creating azure key vault to store our own keys. And finally we looked at how we can configure those encryption keys on our storage account.

07:56

Kind of next. We're going to take a look at how to manage access keys and shared access signatures.