AzureFeatured

Encrypt Storage Acct with customer managed key (CMK)

encrypt storage with cmk

I was working on a task to encrypt the azure storage account using the customer managed keys using key vault.

attached arm template, change the parameter values

 

Parameters

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
       "parameters": {
      "keyName": {
        "type": "string",
        "defaultValue": "keyname"
      },
      "keyvaultName": {
        "type": "string",
        "defaultValue": "key vault name"
      },
      "keyVersion": {
        "type": "string",
        "defaultValue": ""
      },
      "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]"
      },
    
      "strgacct": {
        "type": "string",
        "defaultValue": "storage account name"
      },
      "attributes": {
        "type": "object",
        "defaultValue": {},
        "metadata": {
            "description": "The attributes of a key managed by the key vault service."
        }
      }
    "crv": {
        "type": "string",
        "defaultValue": "",
        "allowedValues": [
            "",
            "P-256",  
            "P-256K", 
            "P-384",  
            "P-521" 
        ],
        "metadata": {
            "description": "Elliptic curve name."
        }
    },
    "key_ops": {
        "type": "array",
        "defaultValue": [],
        "metadata": {
            "description": "JSON web key operations. Operations include: 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'"
        }
    },
    "key_size": {
        "type": "int",
        "defaultValue": 4096,
        "metadata": {
            "description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA."
        }
    },
    "kty": {
        "type": "string",
        "defaultValue": "RSA",
        "allowedValues": [
            "EC",    
            "EC-HSM",
            "RSA",   
            "RSA-HSM"
        ],
        "metadata": {
            "description": "The type of key to create"
        }
    },
    "tags": {
        "type": "object",
        "defaultValue": {},
        "metadata": {
            "description": "Tags to be assigned to the Key."
        }
    }



},
    "resources": []
}

next we will start creating the resources we needed:

  • Storage Account
  • Key vault
  • Keys
"resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "sku": {
              "name": "Standard_LRS",
              "tier": "Standard"
            },
            "kind": "Storage",
            "name": "[parameters('strgacct')]",
            "apiVersion": "2019-06-01",
            "location": "[parameters('location')]",
            "identity": {
              "type": "SystemAssigned"
            },
            "properties": {
              "supportsHttpsTrafficOnly": false
            },
            "dependsOn": []
          },  
      {
        "type": "Microsoft.KeyVault/vaults",
        "name": "[parameters('keyvaultName')]",
        "apiVersion": "2016-10-01",
        "location": "[parameters('location')]",
        "properties": {
          "sku": {
            "family": "A",
            "name": "standard"
          },
          "tenantId": "[subscription().tenantid]",
          "accessPolicies": [],
                "enabledForDeployment":false,
                "enabledForDiskEncryption":false,
                "enabledForTemplateDeployment":true,
                "enableSoftDelete":true,
                "enablePurgeProtection": true
        },
        "dependsOn": [
         "[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]"
        ]
      },
      {
        "type": "Microsoft.KeyVault/vaults/keys",
        "apiVersion": "2019-09-01",
        "name": "[concat(parameters('keyvaultname'), '/', parameters('keyName'))]",
        "properties": {
            "attributes": "[parameters('attributes')]",
            "crv": "[parameters('crv')]",
            "kty": "[parameters('kty')]",
            "key_ops": "[parameters('key_ops')]",
            "key_size": "[parameters('key_size')]"
        },
        "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]",
            "[resourceId('Microsoft.KeyVault/vaults/', parameters('keyvaultname'))]"
        ]
    }
]

after this we need to use Nested template to update storage account to encrypte storage using key vault keys

{
        "type": "Microsoft.Resources/deployments",
        "apiVersion": "2019-07-01",
        "name": "updateStorageAccount",
        "dependsOn": [
          "[resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname'))]"
        ],
        "properties": {
          "mode": "Incremental",
          "template": {
            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
            "contentVersion": "0.1.0.0",
            "resources": [
              {
                "type": "Microsoft.KeyVault/vaults/accessPolicies",
                "name": "[concat(parameters('keyvaultname'), '/add')]",
                "apiVersion": "2019-09-01",
                "properties": {
                  "accessPolicies": [
                    {
                      "tenantId": "[subscription().tenantid]",
                      "objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct')),'2019-06-01', 'full').identity.principalId]",
                      "permissions": {
                        "keys": [
                          "wrapkey",
                          "unwrapkey",
                          "get"
                        ],
                        "secrets": [],
                        "certificates": []
                      }
                    }
                  ]
                }
              },
              {
                "type": "Microsoft.Storage/storageAccounts",
                "sku": {
                  "name": "Standard_LRS",
                  "tier": "Standard"
                },
                "kind": "Storage",
                "name": "[parameters('strgacct')]",
                "apiVersion": "2019-06-01",
                "location": "[parameters('location')]",
                "identity": {
                  "type": "SystemAssigned"
                },
                "properties": {
                  "encryption": {
                    "services": {
                      "file": {
                        "enabled": true
                      },
                      "blob": {
                        "enabled": true
                      }
                    },
                    "keySource": "Microsoft.Keyvault",
                    "keyvaultproperties": {
                      "keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname')),'2016-10-01', 'full').properties.vaultUri]",
                      "keyname": "[parameters('keyName')]",
                      "keyversion": "[parameters('keyversion')]"
                    }
                  }
                },
                "dependsOn": [
                  "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyvaultname'), 'add')]"
                ]
              }
            ]
          }
        }
      }

and finally the complete arm template will look like this to encrypt storage account with key vault keys

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "keyName": {
        "type": "string",
        "defaultValue": "keyname"
      },
      "keyvaultName": {
        "type": "string",
        "defaultValue": "key vault name"
      },
      "keyVersion": {
        "type": "string",
        "defaultValue": ""
      },
      "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]"
      },
    
      "strgacct": {
        "type": "string",
        "defaultValue": "storage account name"
      },
      "attributes": {
        "type": "object",
        "defaultValue": {},
        "metadata": {
            "description": "The attributes of a key managed by the key vault service."
        }
      }
    "crv": {
        "type": "string",
        "defaultValue": "",
        "allowedValues": [
            "",
            "P-256",  
            "P-256K", 
            "P-384",  
            "P-521" 
        ],
        "metadata": {
            "description": "Elliptic curve name."
        }
    },
    "key_ops": {
        "type": "array",
        "defaultValue": [],
        "metadata": {
            "description": "JSON web key operations. Operations include: 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'"
        }
    },
    "key_size": {
        "type": "int",
        "defaultValue": 4096,
        "metadata": {
            "description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA."
        }
    },
    "kty": {
        "type": "string",
        "defaultValue": "RSA",
        "allowedValues": [
            "EC",    
            "EC-HSM",
            "RSA",   
            "RSA-HSM"
        ],
        "metadata": {
            "description": "The type of key to create"
        }
    },
    "tags": {
        "type": "object",
        "defaultValue": {},
        "metadata": {
            "description": "Tags to be assigned to the Key."
        }
    }



},

    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "sku": {
              "name": "Standard_LRS",
              "tier": "Standard"
            },
            "kind": "Storage",
            "name": "[parameters('strgacct')]",
            "apiVersion": "2019-06-01",
            "location": "[parameters('location')]",
            "identity": {
              "type": "SystemAssigned"
            },
            "properties": {
              "supportsHttpsTrafficOnly": false
            },
            "dependsOn": []
          },  
      {
        "type": "Microsoft.KeyVault/vaults",
        "name": "[parameters('keyvaultName')]",
        "apiVersion": "2016-10-01",
        "location": "[parameters('location')]",
        "properties": {
          "sku": {
            "family": "A",
            "name": "standard"
          },
          "tenantId": "[subscription().tenantid]",
          "accessPolicies": [],
                "enabledForDeployment":false,
                "enabledForDiskEncryption":false,
                "enabledForTemplateDeployment":true,
                "enableSoftDelete":true,
                "enablePurgeProtection": true
        },
        "dependsOn": [
         "[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]"
        ]
      },
      {
        "type": "Microsoft.KeyVault/vaults/keys",
        "apiVersion": "2019-09-01",
        "name": "[concat(parameters('keyvaultname'), '/', parameters('keyName'))]",
        "properties": {
            "attributes": "[parameters('attributes')]",
            "crv": "[parameters('crv')]",
            "kty": "[parameters('kty')]",
            "key_ops": "[parameters('key_ops')]",
            "key_size": "[parameters('key_size')]"
        },
        "dependsOn": [
            "[resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct'))]",
            "[resourceId('Microsoft.KeyVault/vaults/', parameters('keyvaultname'))]"
        ]
    },


    
      {
        "type": "Microsoft.Resources/deployments",
        "apiVersion": "2019-07-01",
        "name": "updateStorageAccount",
        "dependsOn": [
          "[resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname'))]"
        ],
        "properties": {
          "mode": "Incremental",
          "template": {
            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
            "contentVersion": "0.1.0.0",
            "resources": [
              {
                "type": "Microsoft.KeyVault/vaults/accessPolicies",
                "name": "[concat(parameters('keyvaultname'), '/add')]",
                "apiVersion": "2019-09-01",
                "properties": {
                  "accessPolicies": [
                    {
                      "tenantId": "[subscription().tenantid]",
                      "objectId": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('strgacct')),'2019-06-01', 'full').identity.principalId]",
                      "permissions": {
                        "keys": [
                          "wrapkey",
                          "unwrapkey",
                          "get"
                        ],
                        "secrets": [],
                        "certificates": []
                      }
                    }
                  ]
                }
              },
              {
                "type": "Microsoft.Storage/storageAccounts",
                "sku": {
                  "name": "Standard_LRS",
                  "tier": "Standard"
                },
                "kind": "Storage",
                "name": "[parameters('strgacct')]",
                "apiVersion": "2019-06-01",
                "location": "[parameters('location')]",
                "identity": {
                  "type": "SystemAssigned"
                },
                "properties": {
                  "encryption": {
                    "services": {
                      "file": {
                        "enabled": true
                      },
                      "blob": {
                        "enabled": true
                      }
                    },
                    "keySource": "Microsoft.Keyvault",
                    "keyvaultproperties": {
                      "keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyvaultname')),'2016-10-01', 'full').properties.vaultUri]",
                      "keyname": "[parameters('keyName')]",
                      "keyversion": "[parameters('keyversion')]"
                    }
                  }
                },
                "dependsOn": [
                  "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', parameters('keyvaultname'), 'add')]"
                ]
              }
            ]
          }
        }
      }
    ]
  }

 

Show More

Related Articles

Back to top button