How to Validate that All Azure Storage Accounts are Encrypted

If your team is using Azure to store data in the cloud, it’s important that your storage accounts are encrypted to lower the risk from security breaches. If a bad actor isn’t able to read exfiltrated data, your organization has a much stronger security posture.

So, are your Azure storage accounts encrypted? 

In this guide, we’ll show you how to confirm whether your Azure storage accounts are encrypted and update them if necessary.

Understanding Azure Storage Accounts and Encryption Options

An Azure storage account is a service by Microsoft Azure that provides secure, durable, and scalable cloud storage. It includes services such as Blob Storage, File Storage, Queue Storage, and Table Storage; each one supporting a different storage use case.

There are a few different options for encrypting Azure storage accounts. While there are client-side encryption options, service-side encryption is the recommended approach.

By default, storage accounts automatically have service-side encryption with Microsoft-managed keys stored securely, allowing access to data only to authorized users.

If you want greater control over the security of your Blob storage accounts and Azure files, you can set up customer-managed keys, which must be stored in Azure Key Vault or Azure Key Vault Managed Hardware Security Model (HSM). This approach is better, for example, if you have unique key rotation requirements. 

You can also use customer-provided keys for Blob storage accounts, stored in any customer-managed vault. You can read more about the encryption options here.

While there are few different approaches, it’s important to be able to quickly validate that all of your Azure storage accounts are encrypted.

Validating that Azure Storage Accounts Are Encrypted

To check that your Azure storage accounts are encrypted with either method, there are two common approaches you can take — the Azure console or the Azure command-line Interface. 

If you want to skip manual steps, you can scroll down to see how you can save significant time by automating this task and many others with Blink.

Now, let's look at each of these in more detail so you can choose the best approach for your organization.

Using the Azure Console:

To check if your Azure storage accounts are encrypted using the console, follow these steps:

1. Log in to the Azure portal.
2. Click Storage accounts in the left-hand menu.
3. Select a storage account from the list of storage accounts.
4. Click Encryption in the left-hand menu.
5. The Encryption page will show which type of encryption is used to secure the storage account.

If your storage account is encrypted with Microsoft managed keys, the status will show as "Your storage account is currently encrypted with Microsoft managed key by default. You can choose to use your own key."

But if you're already using customer-managed encryption keys, your screen will display a prompt to choose between the Enter key URI and Select from Key Vault options.

Using the Azure CLI:

The Azure CLI is a set of commands used to manage and configure your Azure Storage Accounts. To check if your storage accounts are encrypted using this method, follow these steps:

1. Open the Azure CLI and run the following account show command:

az storage account show

This will list all of your storage accounts in the CLI window.

2. To check the encryption status of a specific storage account, run the following command:

az storage account show --name <storage_account_name> 
--query encryption.keySource

The CLI output will display the type of encryption used for that storage account.

If the storage account is encrypted with customer-managed keys, the command will return Microsoft.KeyVault as the keySource value. Microsoft-managed keys will return Microsoft.Storage instead.

Encrypting Insecure Azure Storage Accounts

If you find that your storage accounts are not encrypted after running the above commands, don't worry. You can encrypt your Azure storage accounts using both methods mentioned above.

First, it's important to determine how you want to encrypt your storage accounts. As we outlined earlier, you can choose between using Microsoft-managed keys or customer-managed keys.

Using the Azure Console

You can encrypt your storage accounts using the Azure console in simple steps. Here is what you need to do:

1. Log in to the Azure portal.
2. Click Storage accounts in the left-hand menu.
3. Select a storage account from the list of storage accounts.
4. Click Encryption in the left-hand menu.
5. Click Enable encryption and then choose the type of encryption you want to use, Microsoft-managed or customer-managed keys.

Setting up the Microsoft-managed keys is a simpler process, as it does not require any external keys or services.

Customer-managed encryption requires using a Key Vault. You must set up a key vault first and then enter the Key Vault URI in the Azure console.

Using the Azure CLI

You can also use the Azure CLI to encrypt your storage accounts:

1. Open the Azure CLI and run the following account update command:

az storage account update --name <storage_account_name> 
--resource-group <resource_group_name> 
--encryption-services blob

This will enable encryption with Microsoft-managed keys on the storage account.

2. To use customer-managed keys, you must run an additional command to retrieve the Key Vault URI and enter it into the storage account. To do this, run the following command:

az storage account update --name <storage_account_name> 
--resource-group <resource_group_name> 
--encryption-keyvault "<Key Vault URI>"
--encryption-services blob

Automating Azure Storage Encryption Checks with Blink

You can work through these steps to validate that your Azure storage accounts are properly encrypted, but if you run this on a regular basis, it becomes time-consuming.

If your organization has a strategy around encryption, you need tools that can support you in managing it at scale.

With Blink, you can run a scheduled automation to check your Azure storage accounts and ensure that they are compliant with your encryption standards.

When this automation runs, it executes the following steps:

1. Checks whether all the storage accounts in your Azure account are encrypted.
2. Sends a report to a designated email address.

It’s a simple automation that’s easy to customize. For example, you can add a conditional step to send a Slack notification to your Azure admin if there are any non-encrypted accounts identified. In that notification, you can embed an approval step to update the account with the proper encryption settings.

There are over 5K automations like this one ready to use in the Blink library, or you can build new automation from scratch to fit unique use cases.  

Get started with Blink today to see how easy automation can be.