Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

Study Datasheet – Customer-Managed Keys (CMK) for Azure Storage Encryption

·665 words·4 mins· 100 views · 5 likes ·
Microsoft Azure CMK Azure Storage Account
Overview

Azure Storage automatically encrypts all data at rest using Storage Service Encryption (SSE). When you specify a customer-managed key (CMK), that key is not used to encrypt the data, it is used to protect and control access to the key that encrypts the data.

Key Features
  • Data at rest encrypted using Storage Service Encryption (SSE).
  • Works with Managed Identities for secure authentication.
  • Supports cross-tenant configurations for distributed security control.
Implementation Options

  • Azure Key Vault and Storage Account under subscriptions associated with the same Microsoft Entra tenant.

    • For a new storage account, we must use User-Assigned Managed Identity.
    • For an existing storage account, we can use either User-Assigned or System-Assigned Managed Identity.

  • Azure Key Vault and Storage Account under subscriptions associated with different Microsoft Entra tenants.

    • Customer managed keys (CMKs) can be configured on storage accounts and Key Vaults located in different Microsoft tenants, but appropriate permissions must be granted on the Key Vault to allow access from another tenant.

  • Azure Key Vault Managed Hardware Security Module (HSM) in the same or different tenant.

    • Customer managed keys (CMKs) can be configured with Azure Key Vault Managed HSM in the same or different tenant; The process is similar to Azure Key Vault, but permissions must be managed exclusively through Azure RBAC, as Managed HSM does not support traditional access policies.

Important:

  • Data remains encrypted at all times, even when switching between Microsoft-managed keys (MMK) and Customer-managed keys (CMK).
  • Customer managed keys (CMKs) protection is applied immediately, with no additional actions required.
  • You can switch between Microsoft-managed keys (MMK) and Customer managed keys (CMKs) at any time, depending on your security and compliance needs.
Requirements
  • Soft Delete enabled.
  • Purge Protection enabled.
  • Support for RSA and RSA-HSM keys with sizes of 2048, 3072, and 4096 bits.

Recommended Scenarios
It is recommended to implement Customer-Managed Keys (CMK) in the following cases:

  1. Regulatory compliance: Required for GDPR, HIPAA, ISO 27001 and other regulations.
  2. Full control over encryption keys: Allows you to restrict access and define advanced policies.
  3. Custom key rotation: Key management is under the customer’s control.
  4. Multi-tenant scenarios: Allows you to configure storage and keys in different tenants or subscriptions.
Roles & Permissions
Involved Roles>

Involved Roles #

The following Azure roles are required to configure and manage Customer-Managed Keys (CMKs) in Azure Storage:

  • Storage Account Contributor: Configures CMK encryption on the storage account.
  • Key Vault Administrator: Creates and manages keys in Azure Key Vault or Managed HSM, ensuring that access policies are appropriate.
  • Managed Identity Contributor: Assigns system-assigned and user-assigned managed identities to the storage account.
  • User Access Administrator: Grants permissions to identities across resources.
Managed Identity Types>
Managed Identity Types #

Azure Storage requires a Managed Identity to access the encryption keys stored in Azure Key Vault.

  • System-assigned.
  • User-assigned.

For the Managed Identity associated with the storage account, the following Key Vault permissions are required:

  • wrapKey: To encrypt the data root key.
  • unwrapKey: To decrypt the data root key.
  • get: To retrieve information about the key. For Key Vaults using Azure role-based access control (RBAC):
  • Key Vault Crypto User:This role is suitable for performing cryptographic operations using keys.
Known Limitations
  • Customer managed keys (CMKs) only applies to Blob Storage and Azure Files (Not supported for Tables and Queues).
  • Not supported for premium storage in certain configurations.
  • Storage account must have a Managed Identity configured to access Key Vault.
  • Symmetric keys cannot be used, only 2048-bit, 3072-bit, and 4096-bit RSA keys.
Related Azure Products or Resources
Licensing & Pricing
  • N/A.
Best Practices
  • Enable automatic key rotation in Azure Key Vault to minimize exposure risks.
  • Use Azure Key Vault Managed Hardware Security Module (HSM) if FIPS 140-2 Level 3 certification is required.
  • Configure alerts in Key Vault to detect unauthorized access to encryption keys.
  • Monitor Key Vault latency on critical workloads to avoid performance impacts.
  • Use Azure Policy to enforce Customer managed keys (CMKs) usage for all new storage accounts.
Official Documentation & Links