Enhance data protection and compliance with customer managed keys

Azure Gov Team

This is the third blog in a three-part series on security in Azure Government co-authored by Robert Jaffee, Sr. Program Manager, and Diego Lapiduz, Chief Information Security Architect, with Microsoft Azure Global Government. (In case you missed them, check out the first and second blogs: Six tips for securing identity in the cloud and Five tips for securing your IaaS workloads.

Secure key management is essential to protecting data in the cloud. With Azure Government, you can use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).

In addition, customers in regulated industries have frequently asked for the ability to use customer managed keys, and that feature is now available in Azure Government as Azure Storage Service Encryption with customer managed keys.

Storage Service Encryption with customer managed keys uses Azure Key Vault, providing highly available and scalable secure storage for RSA cryptographic keys. Key Vault streamlines the key management process and enables customers to maintain full control of keys used to encrypt data, manage, and audit their key usage.

Customers can enable this feature on all available redundancy types of, including premium storage, and can toggle from using Microsoft managed to using customer managed keys. There is no additional charge for enabling this feature.


  • Use customer managed keys to encrypt Azure Blob and File storage (Queue and Tables not currently supported)
  • Generate or Import FIPS 140-2 compliant Storage Service Encryption keys using Azure Key Vault
  • Key rotation to meet compliance and security standards
  • Revoking the key removes access to Azure storage account

Please note that “Do Not Purge” and “Soft Delete” for customer managed key must be enabled.

Learn more about deploying Storage Encryption with Customer Managed Keys:

Visit this post for step-by-step guidance on deploying Customer Managed keys.

Once deployed you can view your uploaded files using Azure Storage Explorer:

Removing Storage Service Encryption Customer Managed Keys:

Removing your key removes the ability to decrypt the contents of your storage account. You can use the following PowerShell command to remove your key:

$VaultName = "encryptionvault01"

$KeyName = "blobencryptkey1"

Remove-AzureKeyVaultKey -VaultName $VaultName -Name $Keyname -Force

After your key has been removed, if you attempt to access your storage account you will get an error:

If you need to restore access, using PowerShell you can run the following command

$VaultName = "encryptionvault01"

$KeyName = "blobencryptkey1"

Undo-AzureKeyVaultKeyRemoval -VaultName $VaultName -Name $Keyname

Please review the soft-delete feature in the Azure Storage documentation to understand how your data is protected from loss in the case of accidental deletion or malicious deletion. If a key is removed from key vault, it can be re-imported or restored to gain access to your data.

Additional Information:

For additional information please see the blog announcing Storage Service Encryption with customer managed keys or the documentation on encryption at rest with customer managed keys.


We welcome your comments and suggestions to help us improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our blog by clicking “Subscribe by Email!” on the Azure Government Blog.


Discussion is closed.

Feedback usabilla icon