Azure Storage Encryption at the Storage Container Level

Pallab Chakraborty 401 Reputation points
2021-05-03T19:24:18.217+00:00

We are planning to use a Storage API which will be accessed by some LoB Apps. Some apps will be using one Storage Account belonging to one Business Unit, other Apps will be using a different storage account if they are part of another BU
We are using CMK to encrypt our Storage Accounts. There will be PII and PCI data in the Storage Accounts. So i would like to know two things

1) Is it possible to encrypt data at rest at the Storage Account Container level instead of Storage Account Level or say is it possible to additionally implement encryption at the container level with CMK in addition to using SSE at the Storage Account level? Do i have to use Encryption Scope here and use "Container" as the encryption scope? If yes, can i change the scope for an already existing container say or this has to be done only when you create a new container?

2) If my super administrator is provided RBAC role say "Azure Storage Blob Data Contributor" and i have encryption enabled in my storage account with CMK, can the super administrator still read the Blob Data by having the Azure Storage Blob Data Contributor role? What i have noticed is when i encrypt using a CMK and when i go to the portal and open the file and then click on "Edit" it shows me that the file is encrypted. But when i download the file, i can see all the contents.
So is this by design? If someone can download the file and see the contents then how the Encryption at rest is applied to the blob then? Also, i have noticed if it's a JPEG file and i go to "Edit" in the portal for the blob, i can still see the JPG file, but i cannot see the file only if it's a .pdf or .doc, is that how it is supposed to be?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,149 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,843 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
174 questions
0 comments
Accepted answer
  1. deherman-MSFT 37,081 Reputation points Microsoft Employee
    2021-05-04T22:35:07.93+00:00

    @Anonymous
    Yes, you can have an encryption scope apply to a specific container. You simply need to create an encryption scope. After the encryption scope is created when you create a container, you can specify a default encryption scope for the blobs that are subsequently uploaded to that container. You cannot change or add a default encryption scope for a container after it is created. For more information see Encryption scopes for containers and blobs.

    Your super administrator would need access to the encryption key to view the data or download the blobs. If they do not have access to the proper encryption key then they would not be able to read or download the blob. When you download the file it will no longer be subject to encryption and can be read by anyone. I recommend reading About customer-managed keys and Azure Storage encryption for data at rest for a better understanding of how it works.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.