Encrypt data at rest using Azure key vault.
In this blog post, I will guide you through the process of encrypting and decrypting data on SQL server and on Azure storage accounts using customer-managed keys. By default your data is encrypted using Microsoft-managed keys. But to manage your keys(customer-managed), the keys must be stored in Azure key vault service.
Sign in to the Azure portal.
- Firstly we will start by creating an Azure storage account. A storage account in Azure enables you to store all your objects like blobs, files, images, and videos. It also ensures that your data is highly available, durable, scalable, and secure.
- To access the storage account, go to the storage accounts menu on the left or search for the storage account.
- Click on Create.
Specify the following details in the Basics tab Storage account name which should be globally unique, Regionas East-US, and redundancy set to LRS.
Leave everything else as default and click on Review+create. Click on Create.
Let's create an SQL database server which we will use.
Search for SQL server, and click on create.
Specify the details as shown in the image. The server name should be globally unique. Specify the authentication method as Use SQL authentication. Specify username and password. Let the region be the same as the one we used when creating the storage account. Leave everything else as default and click on Create.
Let's now head over to our storage account while we wait for our SQL server to complete creating.
In our storage account, under security + networking, select encryption.
For the encryption type choose customer-managed keys. Under key vault and key, choose to select a key and vault.
Confirm your subscription, and select key vault as the key store type. Under Key Vault, select Create New Key Vault. Azure Key Vault is a service that helps you manage certificates, keys, and secrets. Our created keys will be handled here.
Under Create a key vault, specify the vault name as mykeyvault-22(globally unique) and the region should be the same. Click next.
Under the access configuration tab, select the vault access policy under the permission model.
Select our user at the bottom
-
Next, in the pop-up box, select our created key vault. Click on the Create New key. This key will encrypt our storage account. Specify the name of the key as key1. Click on Create
-
Select our created key1. Choose select and save.
Confirm that our encryption is now already in place.
Now let's encrypt our SQL server. Head over to our created SQl server. Under security, choose transparent data encryption. select customer-managed keys and choose the change key.
-
Select our already created key vault. Choose a new key for our SQL server. Specify the name as mykey2
-
Click on Select and Save.
Now we have already encrypted our SQL server and storage account, let's confirm. Head over to Key Vaults service.
Go to access policies on the left and verify our key permissions Get, Wrap Key, and Unwrap Key. This allows our storage account and SQL server to access the keys.
Once completed, head over to clean the created resources under the resource group.
-