| Plugin Title | Blob Service Encryption |
| Cloud | AZURE |
| Category | Storage Accounts |
| Description | Ensures encryption is properly configured for Blob Services |
| More Info | Blob Services can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt Blob Services, but the recommended approach is to create your own keys using Azure Key Vault. |
| AZURE Link | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption |
| Recommended Action | Ensure that Blob Service is configured to use a customer-provided key vault key. |
- Log in to the Microsoft Azure Management Console.
- Select the "Search resources, services, and docs" option at the top and search for "Storage accounts."
- On the "Storage account" page, select the account by clicking on its "Name".
- On the configuration page scroll down the left navigation panel and select "Containers" under "Data Storage."
- Select the "Container" on the "Containers" page.
- Scroll down the "Storage account" navigation panel and select "Encryption" under "Security + networking."
- On the "Encryption page" scroll down and check the "Encryption type". If "Microsoft-managed keys" is selected, then "BYOK encryption" is not configured in the Blob Service Encryption.
- To enable "BYOK encryption" select "Encryption type" as "Customer-managed keys". In the "Encryption key" select option "Select from key vault".
- In the "Key Vault and key" click on the blue hughlighted text "Select a key vault and key".
- On the "Select a key" page, select "Key store type" as "Key vault". In the "Key vault" and "key" options, select the key vault and key from the dropdown or you can create your own key vault and key. Click "Select" button at the end to save the selected options.
- Click on the "Save" button at the end to make the changes.
- Repeat step number 3 - 11 to ensure the Storage Account used by Blob Services is configured with a BYOK key.
