In the following example, we will create a storage account and then replace the default Microsoft-managed key with a customer-managed key, which will be stored in our key vault. We will start by creating the storage account via PowerShell:
- First, we need to log in to our Azure account:
Connect-AzAccount - If necessary, select the right subscription:
Select-AzSubscription -SubscriptionId “-–––*” - Create a resource group and key vault:
$resourceGroup = “cs-managedstorage-resourcegroup”
$location = “eastus”
New-AzResourceGroup -Name $resourceGroup -Location $location
New-AzStorageAccount -ResourceGroupName $resourceGroup -Name csmanagedstorage101 -Location $location -SkuName Standard_LRS -Kind StorageV2
This will create a basic storage account in your subscription. Next, we will use the portal to update the encryption key:
- Navigate to the Azure portal at https://portal.azure.com.
- In the top search bar, search for and select Storage Accounts.
- Click on the storage account you created in Step 3.
- On the left-hand menu, click Encryption.
- Change Microsoft-managed Keys to Customer-managed Keys.
- By Encryption key choose Select from the key vault.
- Click Select a key vault and key.
- Select your subscription.
- Select your key vault from the list.
- Next to Key, click Create new.
- Enter the following details:
a) Options: Generate.
b) Name: MyManagedStorageKey.
c) Key Type: RSA.
d) RSA Key Size: 2048.
e) Set activation date?: leave unticked.
f) Set expiration date?: leave unticked.
g) Enabled?: Yes. - Click Create.
- Click Select.
- Click Save.
The screen will refresh and show the updated configuration – note as well that automated key rotation is enabled, meaning that Azure will automatically generate new keys for you and rotate them.
Using customer-managed keys on services such as storage accounts and SQL databases can sometimes require highly sensitive data.
Using Key Vault certificates
SSL certificates digitally bind cryptographic keys to an organization. They are often used in websites to provide secure HTTPS communications or to encrypt services.
Azure Key Vault provides an easy store to help manage and maintain your certificates. Precisely, it can do the following:
- Create certificates through a certificate creation process. Both self-signed and Certificate Authority-generated certificates can be created.
- Import existing certificates for management.
- Automatically renew certificates with selected issuers.
Therefore, certificates can be stored in a key vault and then accessed either manually through the portal or via programmatic means. For example, they can be referenced as part of an ARM deployment template to automatically install the certificate within a DevOps pipeline.
When we created the key vault, one of the steps involved in creating an access policy defined what actions you can access. We chose the default to give your account full access to all certificates, keys, and secrets.