Edit

Configure customer-managed keys for Azure Files encryption

✔️ Applies to: Classic SMB and NFS file shares created with the Microsoft.Storage resource provider

✖️ Doesn't apply to: File shares created with the Microsoft.FileShares resource provider (preview)

Azure encrypts all data in a storage account at rest, including Azure Files data, using AES-256 encryption. By default, Microsoft manages the encryption keys for a storage account. For more control over encryption keys, you can use customer-managed keys (CMK) instead of Microsoft-managed keys to protect and control access to the encryption key that encrypts your data. This article explains how to configure customer-managed keys for Azure Files workloads.

When you configure customer-managed keys for a storage account, Azure Files data in that storage account is automatically encrypted using the customer key. No per-share opt-in is required.

These instructions are for storing customer-managed keys in Azure Key Vault. Some steps and commands for Azure Key Vault Managed HSM (Hardware Security Module) might be slightly different.

Follow these steps to configure customer-managed keys for a storage account.

Step 1: Create or configure a key vault

To enable customer managed keys, you need an Azure storage account along with an Azure Key Vault with purge protection enabled. You can use an existing key vault or create a new one. The storage account and key vault can be in different regions or subscriptions within the same Microsoft Entra tenant. For cross-tenant scenarios, see Configure cross-tenant customer-managed keys for an existing storage account.

To create a new key vault by using the Azure portal, follow these steps:

  1. In the Azure portal, search for Key vaults and select Create.
  2. Fill in the required fields (subscription, resource group, name, region).
  3. Under Recovery options, select Enable purge protection.
  4. Select Review + create, and then select Create.

If you want to use an existing key vault, follow these steps:

  1. Go to your key vault in the Azure portal.
  2. From the service menu, under Settings, select Properties.
  3. In the Purge protection section, select Enable purge protection, and then select Save.
  4. Make sure soft delete is enabled on your key vault. It's enabled by default for new key vaults.

Assign the Key Vault Crypto Officer role

To create and manage keys in your key vault, you need the Key Vault Crypto Officer role on the key vault. You can assign this role to yourself by using the Azure portal, PowerShell, or Azure CLI. If you already have this role on the Key Vault, you can skip this section and proceed to Step 2.

You need the Owner or User Access Administrator RBAC role on the key vault scope to assign the Key Vault Crypto Officer role. Contact your admin if needed.

To assign the Key Vault Crypto Officer role to yourself by using the Azure portal, follow these steps:

  1. Go to your key vault.
  2. From the service menu, select Access control (IAM).
  3. Under Grant access to this resource, select Add role assignment.
  4. Search for and select Key Vault Crypto Officer, and then select Next.
  5. Under Assign access to, select User, group, or service principal.
  6. Under Members, choose +Select members.
  7. Search for and select your own account, then choose Select.
  8. Select Review + assign, and then Review + assign again.

Step 2: Create or import an encryption key

You need an RSA or RSA-HSM key of size 2048, 3072, or 4096. Generate or import an RSA key in your key vault. Before you generate a key, make sure you have the Key Vault Crypto Officer role on the key vault.

To generate a new RSA encryption key by using the Azure portal, follow these steps.

  1. Go to your key vault in the Azure portal.
  2. From the service menu, under Objects, select Keys.
  3. Select Generate/Import. Under Options, select Generate.
  4. Enter a name for the key. Key names can only contain alphanumeric characters and dashes.
  5. Set Key type to RSA and RSA key size to 2048 (or 3072/4096).
  6. Select Create.

To import an existing RSA encryption key by using the Azure portal, follow these steps.

  1. Go to your key vault in the Azure portal.
  2. From the service menu, under Objects, select Keys.
  3. Select Generate/Import. Under Options, select Import.
  4. Select your key to upload.
  5. Enter a name for the key. Key names can only contain alphanumeric characters and dashes.
  6. Set Key type to RSA.
  7. Select Create.

Step 3: Create a managed identity and assign permissions

The storage account needs a managed identity to authenticate to the key vault. By using a managed identity, the storage account can securely access the encryption key in your key vault without storing credentials.

Create a user-assigned managed identity and grant that identity the Key Vault Crypto Service Encryption User role on the key vault.

Create a user-assigned managed identity

Create a user-assigned managed identity by using the Azure portal, Azure PowerShell, or Azure CLI.

To create a user-assigned managed identity by using the Azure portal, follow these steps.

  1. Search for Managed Identities and select Create.
  2. Choose a subscription, resource group, region, and name.
  3. Select Review + create, and then select Create.

Assign the Key Vault Crypto Service Encryption User role to the managed identity

Assign the Key Vault Crypto Service Encryption User role to the managed identity you created by using the Azure portal, PowerShell, or Azure CLI.

To assign the Key Vault Crypto Service Encryption User role to the managed identity by using the Azure portal, follow these steps:

  1. Go to your key vault in the Azure portal.
  2. From the service menu, select Access control (IAM).
  3. Under Grant access to this resource, select Add role assignment.
  4. Search for and select Key Vault Crypto Service Encryption User, and then select Next.
  5. Under Assign access to, select Managed identity.
  6. Under Members, choose +Select members.
  7. The Select managed identities window opens. Under Managed identity, select User-assigned managed identity.
  8. Select the managed identity that you created, and then choose Select.
  9. Select Review + assign, and then Review + assign again.

Step 4: Configure customer-managed keys on the storage account

With the key vault, key, and managed identity in place, you can enable customer-managed keys on the storage account.

Follow these steps to configure the storage account to use your key for encryption. The Azure portal always uses automatic key version updating. To use manual key version management instead, use Azure PowerShell or Azure CLI and specify a key version.

Important

For storage accounts that are associated with a network security perimeter, the key vault should ideally be in the same network security perimeter. If it isn't, then you must configure the network security perimeter profile of the key vault to allow the storage account to communicate with it.

Configure customer-managed keys for an existing storage account

You can configure customer-managed keys on an existing storage account by using the Azure portal, Azure PowerShell, or Azure CLI.

To configure customer-managed keys on an existing storage account by using the Azure portal, follow these steps. The portal uses automatic key version updating by default. You can't specify a key version.

  1. Go to your storage account.
  2. From the service menu, under Security + networking, select Encryption.
  3. For Encryption type, select Customer-Managed Keys. If the storage account is already configured for CMK, select Change key.
  4. For Encryption key, select Select from key vault.
  5. Select Select a key vault and key, and then choose your key vault and key.
  6. For Identity type, choose User-assigned to use your previously created user-assigned managed identity.
  7. Search for and select the user-assigned managed identity and then select Add.
  8. Select Save.

Screenshot showing the encryption selection and key selection for configuring customer managed keys.

Configure customer-managed keys for a new storage account

You can configure customer-managed keys when you create a new storage account by using the Azure portal, Azure PowerShell, or Azure CLI.

You can't use a system-assigned identity during storage account creation because the identity doesn't exist until the storage account is created. You must use a user-assigned managed identity.

To configure customer-managed keys for a new storage account by using the Azure portal, follow these steps. The portal uses automatic key version updating by default. You can't specify a key version.

  1. On the Encryption tab during storage account creation, select Customer-managed keys (CMK) for Encryption type.
  2. Under Encryption key, choose Select a key vault and key, then select your key vault and key.
  3. Under User-assigned identity, choose Select an identity. The Select user assigned managed identity windows opens.
  4. Search for and select your pre-created user-assigned managed identity. New storage accounts can't use a system-assigned managed identity.
  5. Select Add.
  6. Complete the remaining tabs and select Review + create.

Step 5: Verify the configuration

After you enable customer-managed keys, confirm that encryption is properly configured on your storage account. You can do this by using the Azure portal, Azure PowerShell, or Azure CLI.

To verify the storage account configuration by using the Azure portal, follow these steps:

  1. Go to your storage account in the Azure portal.
  2. From the service menu, under Security + networking, select Encryption.
  3. Confirm that Encryption type shows Customer-Managed Keys.
  4. Verify that the information under Key selection is correct.

Key rotation

Regularly rotating your encryption key limits the exposure if a key is ever compromised. There are two ways to rotate encryption for a storage account that uses customer-managed keys:

  • Rotate the key version - Create a new version of the same key in the key vault. The key name stays the same, but the version changes.
  • Change the key - Switch the storage account to use an entirely different key (with a different name) in the same or a different key vault.

Important

Azure checks the key vault for a new key version only once daily. After rotating a key, wait 24 hours before disabling the previous key version.

Rotate the key version

For security best practices, rotate the key version at least once every two years.

If you configured customer-managed keys without specifying a key version (the default when using the Azure portal), Azure automatically checks for new key versions daily. If you create a new version of the key in key vault, Azure picks it up within 24 hours. You can also configure automatic key rotation in Azure Key Vault to generate new key versions on a schedule.

Manual key version rotation

If you specified a key version when configuring customer-managed keys using PowerShell or Azure CLI, Azure uses that specific version and doesn't automatically check for new versions. You must manually update the storage account configuration to point to the new key version.

Manual key version rotation isn't supported in the Azure portal. To manually rotate the key version, use Azure PowerShell or Azure CLI.

Change the key

To switch the storage account to use an entirely different key, create or import a new key in your key vault (see Create or import an encryption key), and then update the storage account encryption configuration to use the new key.

To change the key by using the Azure portal, follow these steps:

  1. Go to your storage account.
  2. From the service menu, under Security + networking, select Encryption.
  3. Select Change key.
  4. Select Select a key vault and key, and then choose your key vault and new key.
  5. Select Save.

Revoke access to file share data by disabling the key

You can immediately block access to encrypted file share data by disabling or deleting the customer-managed key. While the key is disabled, all Azure Files data plane operations fail with HTTP 403 (Forbidden), including:

  • List directories and files
  • Create/get/set directory or file
  • Get/set file metadata
  • Put range, copy file, rename file

To revoke access to your file share data, disable the key in key vault by using the Azure portal, Azure PowerShell, or Azure CLI. Re-enable the key to restore access.

To disable the key by using the Azure portal, follow these steps:

  1. Go to your key vault in the Azure portal.
  2. From the service menu, under Objects, select Keys.
  3. Right-click the key and select Disable.

Switch back to Microsoft-managed keys

If you no longer need customer-managed keys, you can switch the storage account back to using Microsoft-managed keys for encryption by using the Azure portal, Azure PowerShell, or Azure CLI.

To switch back to Microsoft-managed keys by using the Azure portal, follow these steps:

  1. Go to your storage account in the Azure portal.
  2. From the service menu, under Security + networking, select Encryption.
  3. Change Encryption type to Microsoft-Managed Keys.
  4. Select Save.

Related content

For more information about encryption and key management, see the following articles.

  • Last updated on