Blob Service Encryption

Quick Info

Plugin TitleBlob Service Encryption
CategoryStorage Accounts
DescriptionEnsures encryption is properly configured for Blob Services
More InfoBlob Services can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt Blob Services, but the recommended approach is to create your own keys using Azure Key Vault.
Recommended ActionEnsure that Blob Service is configured to use a customer-provided key vault key.

Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Select the “Search resources, services, and docs” option at the top and search for “Storage account."
  3. On the “Storage account” page, scroll down the left navigation panel and choose “Containers” under the “Blob services.”
  4. Select the “Container” on the “Containers” page.
  5. Scroll down the “Storage account” navigation panel and choose “Encryption” option under the “Settings."
  6. On the “Encryption page” scroll down and check “Use your own key” setting configuration. If “Use your own key” setting checkbox is not checked, then “BYOK encryption” is not configured in the Blob Service Encryption.
  7. Repeat steps number 2 - 5 to verify other “Blob Service Encryption” in the Azure account.
  8. Navigate to “Storage account”, select the corresponding “Storage account”, scroll down the left navigation panel and choose “Encryption."
  9. On the “Encyption page” select the “Use your own key” and click on the “Select from Key Vault”.
  10. On the “Key vault” option select the vault accordingly.
  11. On the “Encryption key” option select the key accordingly.
  12. Click on the “Save” option at the top to make the changes.
  13. Repeat steps number 8 - 12 to ensure the Storage Account used by Activity Logs is configured with a BYOK key.