You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/elastic-san/elastic-san-encryption-manage-customer-keys.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
---
2
-
title: Manage customer-managed keys - Azure Elastic SAN
2
+
title: Manage Customer-Managed Keys - Azure Elastic SAN
3
3
description: Learn how to manage customer-managed keys for Azure Elastic SAN, allowing you to control all aspects of your encryption keys.
4
4
author: roygara
5
5
ms.service: azure-elastic-san-storage
6
6
ms.topic: how-to
7
-
ms.date: 05/31/2024
7
+
ms.date: 01/13/2026
8
8
ms.author: rogarana
9
9
ms.reviewer: jaylansdaal
10
10
ms.custom: references_regions
@@ -25,7 +25,7 @@ You control all aspects of your key encryption keys, including:
25
25
This article explains how to manage your customer-managed KEKs.
26
26
27
27
> [!NOTE]
28
-
> Envelope encryption allows you to change your key configuration without impacting your Elastic SAN volumes. When you make a change, the Elastic SAN service re-encrypts the data encryption keys with the new keys. The protection of the data encryption key changes, but the data in your Elastic SAN volumes remain encrypted at all times. There is no additional action required on your part to ensure that your data is protected. Changing the key configuration doesn't impact performance, and there is no downtime associated with such a change.
28
+
> Envelope encryption allows you to change your key configuration without impacting your Elastic SAN volumes. When you make a change, the Elastic SAN service re-encrypts the data encryption keys by using the new keys. The protection of the data encryption key changes, but the data in your Elastic SAN volumes remains encrypted at all times. There's no extra action required on your part to ensure that your data is protected. Changing the key configuration doesn't impact performance, and there's no downtime associated with such a change.
29
29
30
30
## Limitations
31
31
@@ -37,48 +37,48 @@ You can change the key that you're using for Azure Elastic SAN encryption at any
37
37
38
38
# [PowerShell](#tab/azure-powershell)
39
39
40
-
To change the key with PowerShell, call [Update-AzElasticSanVolumeGroup](/powershell/module/az.elasticsan/update-azelasticsanvolumegroup) and provide the new key name and version. If the new key is in a different key vault, then you must also update the key vault URI.
40
+
To change the key by using PowerShell, call [Update-AzElasticSanVolumeGroup](/powershell/module/az.elasticsan/update-azelasticsanvolumegroup) and provide the new key name and version. If the new key is in a different key vault, update the key vault URI.
41
41
42
42
# [Azure CLI](#tab/azure-cli)
43
43
44
-
To change the key with Azure CLI, call [az elastic-san volume-group update](/cli/azure/elastic-san/volume-group#az-elastic-san-volume-group-update) and provide the new key name and version. If the new key is in a different key vault, then you must also update the key vault URI.
44
+
To change the key by using Azure CLI, call [az elastic-san volume-group update](/cli/azure/elastic-san/volume-group#az-elastic-san-volume-group-update) and provide the new key name and version. If the new key is in a different key vault, update the key vault URI.
45
45
46
46
---
47
47
48
-
If the new key is in a different key vault, you must [grant the managed identity access to the key in the new vault](elastic-san-configure-customer-managed-keys.md#choose-a-managed-identity-to-authorize-access-to-the-key-vault). If you opt for manual updating of the key version, you'll also need to [update the key vault URI](elastic-san-configure-customer-managed-keys.md#manual-key-version-rotation).
48
+
If the new key is in a different key vault, [grant the managed identity access to the key in the new vault](elastic-san-configure-customer-managed-keys.md#choose-a-managed-identity-to-authorize-access-to-the-key-vault). If you opt for manual updating of the key version, you'll also need to [update the key vault URI](elastic-san-configure-customer-managed-keys.md#manual-key-version-rotation).
49
49
50
50
## Update the key version
51
51
52
-
Following cryptographic best practices means rotating the key that is protecting your Elastic SAN volume group on a regular schedule, typically at least every two years. Azure Elastic SAN never modifies the key in the key vault, but you can configure a key rotation policy to rotate the key according to your compliance requirements. For more information, see [Configure cryptographic key auto-rotation in Azure Key Vault](/azure/key-vault/keys/how-to-configure-key-rotation).
52
+
Following cryptographic best practices means rotating the key that protects your Elastic SAN volume group on a regular schedule, typically at least every two years. Azure Elastic SAN never modifies the key in the key vault, but you can configure a key rotation policy to rotate the key according to your compliance requirements. For more information, see [Configure cryptographic key auto-rotation in Azure Key Vault](/azure/key-vault/keys/how-to-configure-key-rotation).
53
53
54
-
After the key is rotated in the key vault, the customer-managed KEK configuration for your Elastic SAN volume group must be updated to use the new key version. Customer-managed keys support both automatic and manual updating of the KEK version. You can decide which approach you want to use when you initially configure customer-managed keys, or when you update your configuration.
54
+
After the key is rotated in the key vault, update the customer-managed KEK configuration for your Elastic SAN volume group to use the new key version. Customer-managed keys support both automatic and manual updating of the KEK version. You can decide which approach you want to use when you initially configure customer-managed keys or when you update your configuration.
55
55
56
56
When you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Elastic SAN volume group remains encrypted at all times. There's no extra action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance, and there's no downtime associated with rotating the key version.
57
57
58
58
> [!IMPORTANT]
59
-
> To rotate a key, create a new version of the key in the key vault according to your compliance requirements. Azure Elastic SAN does not handle key rotation, so you will need to manage rotation of the key in the key vault.
59
+
> To rotate a key, create a new version of the key in the key vault according to your compliance requirements. Azure Elastic SAN doesn't handle key rotation, so you need to manage rotation of the key in the key vault.
60
60
>
61
-
> When you rotate the key used for customer-managed keys, that action is not currently logged to the Azure Monitor logs for Azure Elastic SAN.
61
+
> When you rotate the key used for customer-managed keys, that action isn't currently logged to the Azure Monitor logs for Azure Elastic SAN.
62
62
63
63
### Automatically update the key version
64
64
65
65
To automatically update a customer-managed key when a new version is available, omit the key version when you enable encryption with customer-managed keys for the Elastic SAN volume group. If the key version is omitted, then Azure Elastic SAN checks the key vault daily for a new version of a customer-managed key. If a new key version is available, then Azure Elastic SAN automatically uses the latest version of the key.
66
66
67
-
Azure Elastic SAN checks the key vault for a new key version only once daily. When you rotate a key, be sure to wait 24 hours before disabling the older version.
67
+
Azure Elastic SAN checks the key vault for a new key version only once daily. When you rotate a key, wait 24 hours before disabling the older version.
68
68
69
-
If the Elastic SAN volume group was previously configured for manual updating of the key version and you want to change it to update automatically, you might need to explicitly change the key version to an empty string. For details on how to do this, see [Manual key version rotation](elastic-san-configure-customer-managed-keys.md#manual-key-version-rotation).
69
+
If you previously configured the Elastic SAN volume group for manual updating of the key version and you want to change it to update automatically, you might need to explicitly change the key version to an empty string. For details on how to do this, see [Manual key version rotation](elastic-san-configure-customer-managed-keys.md#manual-key-version-rotation).
70
70
71
71
### Manually update the key version
72
72
73
-
To use a specific version of a key for Azure Elastic SAN encryption, specify that key version when you enable encryption with customer-managed keys for the Elastic SAN volume group. If you specify the key version, then Azure Elastic SAN uses that version for encryption until you manually update the key version.
73
+
To use a specific version of a key for Azure Elastic SAN encryption, specify that key version when you enable encryption by using customer-managed keys for the Elastic SAN volume group. If you specify the key version, Azure Elastic SAN uses that version for encryption until you manually update the key version.
74
74
75
-
When the key version is explicitly specified, then you must manually update the Elastic SAN volume group to use the new key version URI when a new version is created. To learn how to update the Elastic SAN volume group to use a new version of the key, see [Configure encryption with customer-managed keys stored in Azure Key Vault](elastic-san-configure-customer-managed-keys.md).
75
+
When you explicitly specify the key version, you must manually update the Elastic SAN volume group to use the new key version URI when a new version is created. For more information about how to update the Elastic SAN volume group to use a new version of the key, see [Configure encryption with customer-managed keys stored in Azure Key Vault](elastic-san-configure-customer-managed-keys.md).
76
76
77
77
## Revoke access to a volume group that uses customer-managed keys
78
78
79
-
To temporarily revoke access to an Elastic SAN volume group that is using customer-managed keys, disable the key currently being used in the key vault. There's no performance impact or downtime associated with disabling and reenabling the key.
79
+
To temporarily revoke access to an Elastic SAN volume group that uses customer-managed keys, disable the key currently used in the key vault. Disabling and reenabling the key has no performance impact or downtime.
80
80
81
-
After the key has been disabled, clients can't call operations that read from or write to volumes in the volume group or their metadata.
81
+
After you disable the key, clients can't call operations that read from or write to volumes in the volume group or their metadata.
82
82
83
83
<!--- For information about which operations will fail, see [Revoke access to a Elastic SAN volume group that uses customer-managed keys](../articles/storage/common/customer-managed-keys-overview.md).
Copy file name to clipboardExpand all lines: articles/storage/elastic-san/elastic-san-encryption-overview.md
+13-9Lines changed: 13 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,34 +2,38 @@
2
2
title: Encryption options for Azure Elastic SAN
3
3
description: Use platform-managed keys for the encryption of your Elastic SAN volumes or use customer-managed keys to manage encryption with your own keys.
4
4
author: roygara
5
-
ms.date: 05/31/2024
5
+
ms.date: 01/13/2026
6
6
ms.topic: concept-article
7
7
ms.author: rogarana
8
8
ms.service: azure-elastic-san-storage
9
9
# Customer intent: "As a cloud architect, I want to choose between platform-managed and customer-managed keys for encryption, so that I can meet my organization's specific security and compliance requirements for data stored in Azure Elastic SAN."
10
10
---
11
11
12
-
# Learn about encryption for an Azure Elastic SAN
12
+
# Encryption options for Azure Elastic SAN
13
13
14
14
Azure Elastic SAN uses server-side encryption (SSE) to automatically encrypt data stored in an Elastic SAN. SSE protects your data and helps you meet your organizational security and compliance requirements.
15
15
16
-
Data in Azure Elastic SAN volumes is encrypted and decrypted transparently using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), one of the strongest block ciphers available, and is FIPS 140-2 compliant. For more information about the cryptographic modules underlying Azure data encryption, see [Cryptography API: Next Generation](/windows/desktop/seccng/cng-portal).
16
+
Data in Azure Elastic SAN volumes is encrypted and decrypted transparently by using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), one of the strongest block ciphers available, and is FIPS 140-2 compliant. For more information about the cryptographic modules underlying Azure data encryption, see [Cryptography API: Next Generation](/windows/desktop/seccng/cng-portal).
17
17
18
-
SSE is enabled by default and can't be disabled. SSE can't be disabled, doesn't impact the performance of your Elastic SAN, and has no extra cost associated with it.
18
+
SSE is enabled by default and can't be disabled. SSE doesn't impact the performance of your Elastic SAN and has no extra cost associated with it.
19
19
20
20
## About encryption key management
21
21
22
-
There are two kinds of encryption keys available: platform-managed keys and customer-managed keys. Data written to an Elastic SAN volume is encrypted with platform-managed (Microsoft-managed) keys by default. If you prefer, you can use [Customer-managed keys](#customer-managed-keys) instead, if you have specific organizational security and compliance requirements.
22
+
Two kinds of encryption keys are available: platform-managed keys and customer-managed keys. Data written to an Elastic SAN volume is encrypted by default with platform-managed (Microsoft-managed) keys. If you prefer, you can use [Customer-managed keys](#customer-managed-keys) instead, if you have specific organizational security and compliance requirements.
23
23
24
-
When you configure a volume group, you can choose to use either platform-managed or customer-managed keys. All volumes in a volume group inherit the volume group's configuration. You can switch between customer-managed and platform-managed keys at any time. If you switch between these key types, the Elastic SAN service re-encrypts the data encryption key with the new KEK. The protection of the data encryption key changes, but the data in your Elastic SAN volumes always remains encrypted. There's no extra action required on your part to ensure that your data is protected.
24
+
When you configure a volume group, you can choose to use either platform-managed or customer-managed keys. All volumes in a volume group inherit the volume group's configuration. You can switch between customer-managed and platform-managed keys at any time. If you switch between these key types, the Elastic SAN service re-encrypts the data encryption key by using the new KEK. The protection of the data encryption key changes, but the data in your Elastic SAN volumes always remains encrypted. You don't need to take any extra action to ensure that your data is protected.
25
+
26
+
## Platform-managed keys
27
+
28
+
By default, Azure Elastic SAN uses platform-managed encryption keys. All Elastic SANs and their underlying resources and data are automatically encrypted-at-rest with platform-managed keys. Platform-managed keys are managed by Microsoft.
25
29
26
30
## Customer-managed keys
27
31
28
-
If you use customer-managed keys, you must use either an [Azure Key Vault](/azure/key-vault/general/overview) to store it.
32
+
If you use customer-managed keys, you must use an [Azure Key Vault](/azure/key-vault/general/overview) to store the key.
29
33
30
-
You can either create and import [your own RSA keys](/azure/key-vault/keys/hsm-protected-keys) and store them in your Azure Key Vault, or you can generate new RSA keys using Azure Key Vault. You can use the Azure Key Vault APIs or management interfaces to generate your keys. The Elastic SAN and the key vault can be in different regions and subscriptions, but they must be in the same Microsoft Entra ID tenant.
34
+
You can either create and import [your own RSA keys](/azure/key-vault/keys/hsm-protected-keys) and store them in your Azure Key Vault, or you can generate new RSA keys by using Azure Key Vault. You can use the Azure Key Vault APIs or management interfaces to generate your keys. The Elastic SAN and the key vault can be in different regions and subscriptions, but they must be in the same Microsoft Entra ID tenant.
31
35
32
-
The following diagram shows how Azure Elastic SAN uses Microsoft Entra ID and a key vault to make requests using the customer-managed key:
36
+
The following diagram shows how Azure Elastic SAN uses Microsoft Entra ID and a key vault to make requests by using the customer-managed key:
33
37
34
38
:::image type="content" source="media/customer-managed-keys-overview/encryption-customer-managed-keys-diagram.png" alt-text="Diagram showing how customer-managed keys work in Azure Elastic SAN." lightbox="media/customer-managed-keys-overview/encryption-customer-managed-keys-diagram.png":::
0 commit comments