In my last post, I indicated how easy it was to tell a storage account (particularly the Azure Shell storage account) to use an encryption key. In that example, I brought my own key. That key was an 2048-bit RSA key that Azure Key Vault was happy to use and apply to my storage account. The figure below shows my 2048-bit key:

You can see the properties of a key in Azure Key Vault

Now, 2048-bit is good. But, Azure can do better for some services. Inside of Azure Key Vault, you can create your own keys with RSA 3072 or 4096 bit size. Additionally you can put either an enable date or an expiration date on a new key. This is shown below:

You can select RSA key sizes for stronger cryptography

Once this key is made, it can be applied to other Azure services transparently in the encryption options. Note that not all Azure services that leverage the encryption can leverage the 4096-bit keys, however. I’ve observed discussions from a while ago where the ask of when 4096-bit support can be used.

Azure blob storage accounts currently only support 2048-bit keys however. To illustrate this, I’ll select an Azure blob storage account I have in place. I want to apply this new RSA 2048-bit key to the encryption of my Azure blob storage. For a blob storage account, I can go to the encryption setting for that storage and select encryption.

Azure services allow to change the encryption per service item

I just created this blob storage account shown. It is important to note that if you change the encryption for a storage account that is already populated with data, new data into the storage account will be encrypted immediately with this specified key, and existing data will be encrypted as a background process. Another important point that you may learn is that the Azure Key Vault keys you set up, compared to the Azure services you want to leverage for encryption must be in the same region. This is somewhat intuitive, but paves the way for multiple Azure Key Vault deployments if you have multiple region deployments of Azure services. Below, I’ve applied the new RSA-2048 bit key to the Azure blob storage account:

Those of you with a keen eye have noticed I changed the name of the key as these as I went through these examples. The final name of the key was “RWV0KEY2USEAST0BLOBINTERKEY”. As I’m developing my practice here I’m starting to think of what would be a good nomenclature process for keys, I’ll come back to this in a future post. You’ll see I am on a path of who (RWV is me), 0 is account (Azure account number), Key number, Region, etc.

Speaking of future posts, I’m also going to be exploring some automation around this. I want to get to a point where I can share scripts to create services and immediately apply the specific encryption keys to it and leverage the Azure Key Vault.

Do you use the these higher-bit keys in Azure? If so, share your strategy around them below.

Advertisements