01 Run keyvault create command (Windows/macOS/Linux) to create the necessary Microsoft Azure Key Vault that will store the new customer-managed encryption key (BYOK):
az keyvault create
--name cc-byok-key-vault
--resource-group cloud-shell-storage-westeurope
--location westeurope
--enable-soft-delete true
--enable-purge-protection true
02 The command output should return the configuration metadata for the newly created Azure Key Vault:
{
"id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-byok-key-vault",
"location": "westeurope",
"name": "cc-byok-key-vault",
"properties": {
"createMode": null,
"enablePurgeProtection": true,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
...
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"vaultUri": "https://cc-byok-key-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
03 Run keyvault key create command (Windows/macOS/Linux) to create a new customer-managed encryption key (also known as Bring Your Own Key – BYOK) within the Azure Key Vault created at the previous step:
az keyvault key create
--name cc-byok-key
--vault-name cc-byok-key-vault
--kty RSA
--ops encrypt decrypt wrapKey unwrapKey sign verify
--size 2048
04 The command output should return the metadata for the new customer-managed key:
{
"attributes": {
"created": "2019-08-11T16:58:06+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Recoverable",
"updated": "2019-08-11T16:58:06+00:00"
},
"key": {
"crv": null,
"d": null,
...
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"tags": null
}
05 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy of the Azure Key Vault created earlier in the process with the appropriate permissions:
az keyvault set-policy
--name cc-byok-key-vault
--object-id 1234abcd-1234-abcd-1234-abcd1234abcd
--key-permissions get wrapkey unwrapkey
06 The command output should return the metadata for the updated Microsoft Azure Key Vault:
{
"id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-byok-key-vault",
"location": "westeurope",
"name": "cc-byok-key-vault",
"properties": {
{
"applicationId": null,
"permissions": {
"certificates": null,
"keys": [
"get",
"wrapKey",
"unwrapKey"
],
"secrets": null,
"storage": null
},
}
],
...
"createMode": null,
"enablePurgeProtection": true,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"vaultUri": "https://cc-byok-key-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
07 Run storage account update command (Windows/macOS/Linux) using the ID of the Azure storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to configure Transparent Data Encryption (TDE) feature to use the customer-managed key (Bring Your Own Key - BYOK) created at the previous steps for the selected storage account and all the blob containers available inside the account:
az storage account update
--name abcd1234abcd1234abcd1234
--resource-group cloud-shell-storage-westeurope
--encryption-key-source=Microsoft.Keyvault
--encryption-key-vault https://cc-byok-key-vault.vault.azure.net/
--encryption-key-name cc-byok-key
--encryption-key-version abcdabcd12341234abcdabcd12341234
--encryption-services blob
08 The command output should return the TDE’s configuration metadata for the selected storage account:
{
"accessTier": null,
"azureFilesIdentityBasedAuthentication": null,
"creationTime": "2019-07-25T08:47:35.787368+00:00",
"customDomain": null,
"enableHttpsTrafficOnly": false,
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyVaultProperties": {
"keyName": "cc-byok-key",
"keyVaultUri": "https://cc-byok-key-vault.vault.azure.net/",
"keyVersion": "abcdabcd12341234abcdabcd12341234"
},
"services": {
"blob": {
"enabled": true,
"lastEnabledTime": "2019-07-25T08:47:35.927993+00:00"
},
"file": {
"enabled": true,
"lastEnabledTime": "2019-07-25T08:47:35.927993+00:00"
}
}
},
...
"primaryLocation": "westeurope",
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"secondaryEndpoints": null,
"secondaryLocation": null,
"sku": {
"capabilities": null,
"kind": null,
"locations": null,
"name": "Standard_LRS",
"resourceType": null,
"restrictions": null,
"tier": "Standard"
},
"statusOfPrimary": "available",
"statusOfSecondary": null,
"tags": {},
"type": "Microsoft.Storage/storageAccounts"
}
09 Repeat steps no. 1 – 8 for each subscription created within your Microsoft Azure cloud account.