Create an account that supports customer-managed keys for tables and queues
Article
Azure Storage encrypts all data in a storage account at rest. By default, Queue storage and Table storage use a key that is scoped to the service and managed by Azure. You can also opt to use customer-managed keys to encrypt queue or table data. To use customer-managed keys with queues and tables, you must first create a storage account that uses an encryption key that is scoped to the account, rather than to the service. After you have created an account that uses the account encryption key for queue and table data, you can configure customer-managed keys for that storage account.
This article describes how to create a storage account that relies on a key that is scoped to the account. When the account is first created, Azure uses the account key to encrypt the data in the account, and Azure manages the key. You can subsequently configure customer-managed keys for the account to take advantage of those benefits, including the ability to provide your own keys, update the key version, rotate the keys, and revoke access controls.
Create an account that uses the account encryption key
You must configure a new storage account to use the account encryption key for queues and tables at the time that you create the storage account. The scope of the encryption key cannot be changed after the account is created.
The storage account must be of type general-purpose v2. You can create the storage account and configure it to rely on the account encryption key by using the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manager template.
Only Queue and Table storage can be optionally configured to encrypt data with the account encryption key when the storage account is created. Blob storage and Azure Files always use the account encryption key to encrypt data.
To create a storage account that relies on the account encryption key with the Azure portal, follow these steps:
From the left portal menu, select Storage accounts to display a list of your storage accounts.
On the Storage accounts page, select New.
Fill in the fields on the Basics tab.
On the Advanced tab, locate the Tables and Queues section, and select Enable support for customer-managed keys.
To use PowerShell to create a storage account that relies on the account encryption key, make sure you have installed the Azure PowerShell module, version 3.4.0 or later. For more information, see Install the Azure PowerShell module.
Next, create a general-purpose v2 storage account by calling the New-AzStorageAccount command, with the appropriate parameters:
Include the -EncryptionKeyTypeForQueue option and set its value to Account to use the account encryption key to encrypt data in Queue storage.
Include the -EncryptionKeyTypeForTable option and set its value to Account to use the account encryption key to encrypt data in Table storage.
The following example shows how to create a general-purpose v2 storage account that is configured for read-access geo-redundant storage (RA-GRS) and that uses the account encryption key to encrypt data for both Queue and Table storage. Remember to replace the placeholder values in brackets with your own values:
To use Azure CLI to create a storage account that relies on the account encryption key, make sure you have installed Azure CLI version 2.0.80 or later. For more information, see Install the Azure CLI.
Next, create a general-purpose v2 storage account by calling the az storage account create command, with the appropriate parameters:
Include the --encryption-key-type-for-queue option and set its value to Account to use the account encryption key to encrypt data in Queue storage.
Include the --encryption-key-type-for-table option and set its value to Account to use the account encryption key to encrypt data in Table storage.
The following example shows how to create a general-purpose v2 storage account that is configured for read-access geo-redundant storage (RA-GRS) and that uses the account encryption key to encrypt data for both Queue and Table storage. Remember to replace the placeholder values in brackets with your own values:
The following JSON example creates a general-purpose v2 storage account that is configured for read-access geo-redundant storage (RA-GRS) and that uses the account encryption key to encrypt data for both Queue and Table storage. Remember to replace the placeholder values in angle brackets with your own values:
After you create the account, you can verify that the storage account is using an encryption key that is scoped to the account by using the Azure portal, PowerShell, or Azure CLI.
To verify that a service in a storage account is using an encryption key that is scoped to the account with the Azure portal, follow these steps:
Navigate to your new storage account in the Azure portal.
In the Security + Networking section, select Encryption.
If the storage account was created to rely on the account encryption key, you'll see on the Encryption tab that customer-managed keys can be enabled for all four Azure Storage services: blobs, files, tables, and queues.
To verify that a service in a storage account is using the account encryption key with PowerShell, call the Get-AzStorageAccount command. This command returns a set of storage account properties and their values. Look for the KeyType field for each service within the Encryption property and verify that it is set to Account.
To verify that a service in a storage account is using the account encryption key with Azure CLI, call the az storage account show command. This command returns a set of storage account properties and their values. Look for the keyType field for each service within the encryption property and verify that it is set to Account.
az storage account show \
--name <storage-account> \
--resource-group <resource-group>
N/A
After you've verified that the storage account is using an encryption key that is scoped to the account, you can enable customer-managed keys for the account. All four Azure Storage services—blobs, files, tables, and queues—will then use the customer-managed key for encryption.
Pricing and billing
A storage account that is created to use an encryption key scoped to the account is billed for Table storage capacity and transactions at a different rate than an account that uses the default service-scoped key. For details, see Azure Table Storage pricing.