Configuring Azure Storage Service Encryption (SSE) can be done through the Azure portal or using PowerShell. Here’s how to configure SSE for Azure Blob Storage using both methods:
Configuring SSE in Azure Portal
- Open the Azure portal and navigate to the storage account you want to configure.
- In the left menu, select “Encryption.”
- Under “Encryption settings,” select “Enabled” for “Service-managed key” to enable SSE with Microsoft-managed keys (SSE-SMK). Alternatively, select “Enabled” for “Customer-managed key” to enable SSE with customer-managed keys (SSE-CMK) and provide the Key Vault details where the encryption keys are stored.
- Click “Save” to save the encryption settings.
Configuring SSE using PowerShell
Here are the steps to configure SSE in Azure Blob Storage using PowerShell:
- Open PowerShell and connect to your Azure account using the command:
Connect-AzAccount - Select the subscription where your storage account is located using the command:
Select-AzSubscription -SubscriptionName <subscription_name> - Get the storage account object using the command:
$storageAccount = Get-AzStorageAccount -ResourceGroupName <resource_group_name> -Name <storage_account_name> - Enable SSE-SMK using the command:
$storageAccount | Set-AzStorageAccount -EnableEncryptionService Blob -UseServiceManagedEncryption $True - Enable SSE-CMK using the command:
$keyVaultUri = "<key_vault_uri>"$keyVaultResourceId = (Get-AzKeyVault -VaultName <key_vault_name>).ResourceId$storageAccount | Set-AzStorageAccount -EnableEncryptionService Blob -KeyVaultPropertyObject @{ KeyName = "key1"; KeyVaultUri = $keyVaultUri; KeyVaultResourceId = $keyVaultResourceId }Note: Replace<key_vault_uri>,<key_vault_name>,<resource_group_name>, and<storage_account_name>with your own values.
That’s it! You have now configured Azure Storage Service Encryption using both the Azure portal and PowerShell.
