In Azure, all data written to a storage account is automatically encrypted using Server-Side Encryption (SSE) with 256-bit AES encryption, compliant with FIPS 140-2. This feature is enabled by default and cannot be disabled. As an Azure Administrator, your configuration duties focus on key manageme…In Azure, all data written to a storage account is automatically encrypted using Server-Side Encryption (SSE) with 256-bit AES encryption, compliant with FIPS 140-2. This feature is enabled by default and cannot be disabled. As an Azure Administrator, your configuration duties focus on key management and encryption scopes.
**Key Management Options:**
1. **Microsoft-Managed Keys (MMK):** The default setting. Microsoft manages key rotation and storage. No administrative overhead is required.
2. **Customer-Managed Keys (CMK):** Required for specific compliance needs. You manage keys using Azure Key Vault (AKV). To configure this, you must enable 'Soft Delete' and 'Purge Protection' on the AKV. You then assign a Managed Identity (System or User-assigned) to the Storage Account and grant it permissions to wrap and unwrap keys in the vault.
**Advanced Configurations:**
* **Infrastructure Encryption:** You can enable this at the time of account creation to add a second layer of encryption at the infrastructure level (double encryption) for highly sensitive data.
* **Encryption Scopes:** These allow you to manage encryption at the blob or container level rather than the account level. This is critical for multi-tenant scenarios where different customers require distinct keys.
Changing key types (e.g., switching to CMK) updates the encryption settings for the account immediately, but existing data is not re-encrypted until it is rewritten.
Comprehensive Guide: Configure Storage Account Encryption for AZ-104
What is Azure Storage Encryption? Azure Storage encryption is a security mechanism that automatically encrypts your data when it is persisted to the cloud and decrypts it when accessed. It protects data at rest to meet organizational security and compliance commitments. By default, all Azure Storage accounts use Server-Side Encryption (SSE). This process is transparent to the user, meaning you do not need to modify your code or applications to utilize it.
Why is it Important? Data security is a critical pillar of the AZ-104 exam. Storage encryption works with 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. It prevents unauthorized access to the physical disks in Azure datacenters from compromising your data.
How it Works: Key Management Options While encryption is always enabled (it cannot be disabled), the AZ-104 exam focuses heavily on how the encryption keys are managed. There are two primary modes you must understand:
1. Microsoft-managed keys (MMK): This is the default setting. Microsoft manages the key rotation and storage. It is the simplest option and requires no configuration from the administrator.
2. Customer-managed keys (CMK): This option gives you control over the keys. You create and store your keys in an Azure Key Vault (AKV) or Azure Key Vault Managed Hardware Security Module (HSM). This is often required for strict compliance scenarios where the customer must manage key rotation and access policies.
Configuration Components To successfully configure Customer-managed keys, you need three specific components working together, which are frequent exam topics: The Key Vault: Must have Soft Delete and Purge Protection enabled. The Identity: The storage account affects the Key Vault using a Managed Identity (System-assigned or User-assigned) to retrieve the key. The Key: Usually an RSA key stored within the Vault.
Double Encryption (Infrastructure Encryption) For scenarios requiring high security, Azure offers Infrastructure Encryption. This adds a second layer of encryption at the level of the storage infrastructure. However, this must be enabled at the time of storage account creation and cannot be changed later.
Exam Tips: Answering Questions on Configure storage account encryption When facing AZ-104 questions regarding storage encryption, look for these specific keywords and scenarios:
1. "Rotation Control" or "Customer Compliance": If a scenario asks for the ability to rotate keys on a specific schedule or states that the organization must manage the cryptography, the answer is always Customer-managed keys (CMK).
2. Key Vault Prerequisites: A common troubleshooting question involves a failure to potential configure CMK. If the question asks why a Key Vault cannot be selected for storage encryption, verify if Soft Delete and Purge Protection are enabled on the Key Vault. Both are mandatory.
3. Identity Access: To configure CMK, the storage account needs permission to access the Key Vault. The exam may ask what must be configured to allow this connection. The answer is a Managed Identity (System-assigned is most common for simple 1:1 relationships, User-assigned for multiple resources accessing the same key).
4. Changing Encryption Scopes: Remember that switching from Microsoft-managed to Customer-managed keys takes effect immediately without downtime. However, enabling Infrastructure Encryption (double encryption) requires creating a new storage account; it cannot be enabled on an existing one.