KubeQuest

Instructor: Okay, we're almost done here.

We're onto the second to last tab,

which is encryption.

Now the big decision here is who are you going to trust

to manage the encryption of your data

inside your storage account?

So all data is encrypted by default,

and if you don't change the setting,

Microsoft will encrypt your data.

This is called Microsoft-managed keys.

It's also Transparent Data Encryption, TDE.

What that means is that you don't get to interact

with the keys at all.

You don't have access to them.

You upload your files unencrypted

and Microsoft will store it on the physical hard disk

encrypted, and then when you go to retrieve the file,

it will automatically decrypt it for you

and you'll receive it unencrypted.

So that is a Microsoft managed key,

and it's the easiest thing to handle.

Now, slightly more complicated

is the concept of customer-managed keys.

Some companies insist on having the security keys

access to them.

Maybe they have a policy for changing them

every so many months.

And so customer-managed keys means that you create

and manage the keys.

Microsoft still uses them transparently.

So you provide the file unencrypted,

it encrypts it using your keys.

The way it does this is it stores the key

in what is called a key vault.

Key vault is a special Azure service for handling secrets,

keys, and certificates.

And so you can create a key

using the key vault and reference that key

when it comes time to creating your storage account.

So it's not too difficult to create a key in the key vault.

And then from that point forward,

Microsoft will use that key.

The default is Microsoft-managed keys,

and unless you really do wanna manage your keys

and take responsibility for that,

then I would suggest you select that.

Now, if you do go the way of customer managed keys,

additional challenge for you

is going to be what services are going to use

your customer-managed keys.

So is it only for blobs and files,

but you're gonna leave tables and queues

using Microsoft Method,

or is it for all service types?

Again, we're gonna leave this as Microsoft-managed keys.

Note that this option cannot be changed

after the storage account is created.

Do you know what's even better

than doing either Microsoft-managed keys encryption or CMK?

Well, that is doing another layer of encryption.

That is the infrastructure encryption option.

It's disabled by default.

You can enable it,

and what that does is it takes your file,

passes it through this first layer of encryption,

and then it takes the resulting encrypted file

and encrypts that before storing it to the hard disk.

So this is obviously a very secure,

because once they've, let's say someone was to get hold of

that hard disk and they were able to reverse

the encryption on it,

well then they would still only be getting encrypted files

out of that and they would have to reverse it again.

So this is going to make somebody's job

a lot more difficult.

So turning on infrastructure encryption,

if that's what you want, is an option,

doesn't cost anything extra.

It may add a little bit more latency

when it comes to the data that you send to Azure,

finally making it to a disk.

But if you're really mostly concerned

with the data that you're sending to Azure being encrypted,

then this is one pretty good option.

Now I have a separate video talking about tags,

so we're not gonna be talking about that.

In the next video, we are going to finally

hit the create button

and get this storage account created.

So come back for that.

John Savil

Labs

Labs

Users And Groups

Rbac

Conditional Access

Managed Identities

B2b Guests

Sspr

Pim

Federating Keyclock

Extras

Scott Duffy

Transcripts