Merge pull request #96741 from tamram/tamram-1120

add encryption FAQ content

Author: tiburd

articles/storage/blobs/TOC.yml

@@ -334,14 +334,24 @@
             href: ../common/storage-account-sas-create-dotnet.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
           - name: Define a stored access policy
             href: ../common/storage-stored-access-policy-define-dotnet.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
-      - name: Use customer-managed keys for encryption
+      - name: Manage Azure Storage encryption
         items:
-        - name: Portal
-          href: ../common/storage-encryption-keys-portal.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
-        - name: PowerShell
-          href: ../common/storage-encryption-keys-powershell.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
-        - name: Azure CLI
-          href: ../common/storage-encryption-keys-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+        - name: Check whether a blob is encrypted
+          href: storage-blob-encryption-status.md
+        - name: Manage encryption keys for the storage account
+          items:
+          - name: Check the encryption key model for the account
+            href: ../common/storage-encryption-key-model-get.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+          - name: Configure customer-managed encryption keys
+            items:  
+            - name: Portal
+              href: ../common/storage-encryption-keys-portal.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+            - name: PowerShell
+              href: ../common/storage-encryption-keys-powershell.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+            - name: Azure CLI
+              href: ../common/storage-encryption-keys-cli.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+        - name: Provide an encryption key on a request
+          href: storage-blob-customer-provided-key.md
       - name: Configure client-side encryption
         items:
         - name: .NET

articles/storage/blobs/media/storage-blob-encryption-status/blob-encryption-property-portal.png

@@ -0,0 +1,72 @@
+---
+title: Specify a customer-provided key on a request to Blob storage with .NET - Azure Storage
+description: Learn how to specify a customer-provided key on a request to Blob storage using .NET.
+services: storage
+author: tamram
+
+ms.service: storage
+ms.topic: how-to
+ms.date: 11/26/2019
+ms.author: tamram
+ms.reviewer: cbrooks
+ms.subservice: common
+---
+
+# Specify a customer-provided key on a request to Blob storage with .NET
+
+Clients making requests against Azure Blob storage have the option to provide an encryption key on an individual request. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys (preview) can be stored in Azure Key Vault or in another key store.
+
+This article shows how to specify a customer-provided key on a request with .NET.
+
+[!INCLUDE [storage-install-packages-blob-and-identity-include](../../../includes/storage-install-packages-blob-and-identity-include.md)]
+
+## Example: Use a customer-provided key to upload a blob
+
+The following example creates a customer-provided key and uses that key to upload a blob. The code uploads a block, then commits the block list to write the blob to Azure Storage.
+
+```csharp
+async static Task UploadBlobWithClientKey(string accountName, string containerName,
+    string blobName, Stream data, byte[] key)
+{
+    const string blobServiceEndpointSuffix = ".blob.core.windows.net";
+    Uri accountUri = new Uri("https://" + accountName + blobServiceEndpointSuffix);
+
+    // Specify the customer-provided key on the options for the client.
+    BlobClientOptions options = new BlobClientOptions()
+    {
+        CustomerProvidedKey = new CustomerProvidedKey(key)
+    };
+
+    // Create a client object for the Blob service, including options.
+    BlobServiceClient serviceClient = new BlobServiceClient(accountUri, 
+        new DefaultAzureCredential(), options);
+
+    // Create a client object for the container.
+    // The container client retains the credential and client options.
+    BlobContainerClient containerClient = serviceClient.GetBlobContainerClient(containerName);
+
+    // Create a new block blob client object.
+    // The blob client retains the credential and client options.
+    BlobClient blobClient = containerClient.GetBlobClient(blobName);
+
+    try
+    {
+        // Create the container if it does not exist.
+        await containerClient.CreateIfNotExistsAsync();
+
+        // Upload the data using the customer-provided key.
+        await blobClient.UploadAsync(data);
+    }
+    catch (RequestFailedException e)
+    {
+        Console.WriteLine(e.Message);
+        Console.ReadLine();
+        throw;
+    }
+}
+```
+
+## Next steps
+
+- [Azure Storage encryption for data at rest](../common/storage-service-encryption.md)
+- [Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resources](../common/storage-auth-aad-msi.md)

articles/storage/blobs/storage-blob-customer-provided-key.md

@@ -0,0 +1,97 @@
+---
+title: Check the encryption status of a blob - Azure Storage
+description: Learn how to use Azure portal, PowerShell, or Azure CLI to check whether a given blob is encrypted. If a blob is not encrypted, learn how to use AzCopy to force encryption by downloading and re-uploading the blob.
+services: storage
+author: tamram
+
+ms.service: storage
+ms.topic: how-to
+ms.date: 11/26/2019
+ms.author: tamram
+ms.reviewer: cbrooks
+ms.subservice: common
+---
+
+# Check the encryption status of a blob
+
+Every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017 is encrypted with Azure Storage encryption. Blobs created prior to this date continue to be encrypted by a background process.
+
+This article shows how to determine whether a given blob has been encrypted.
+
+## Check a blob's encryption status
+
+Use the Azure portal, PowerShell, or Azure CLI to determine whether a blob is encrypted without code.
+
+### [Azure portal](#tab/portal)
+
+To use the Azure portal to check whether a blob has been encrypted, follow these steps:
+
+1. In the Azure portal, navigate to your storage account.
+1. Select **Containers** to navigate to a list of containers in the account.
+1. Locate the blob and display its **Overview** tab.
+1. View the **Server Encrypted** property. If **True**, as shown in the following image, then the blob is encrypted. Notice that the blob's properties also include the date and time that the blob was created.
+
+    ![Screenshot showing how to check Server Encrypted property in Azure portal](media/storage-blob-encryption-status/blob-encryption-property-portal.png)
+
+### [PowerShell](#tab/powershell)
+
+To use PowerShell to check whether a blob has been encrypted, check the blob's **IsServerEncrypted** property. Remember to replace placeholder values in angle brackets with your own values:
+
+```powershell
+$account = Get-AzStorageAccount -ResourceGroupName <resource-group> `
+    -Name <storage-account>
+$blob = Get-AzStorageBlob -Context $account.Context `
+    -Container <container> `
+    -Blob <blob>
+$blob.ICloudBlob.Properties.IsServerEncrypted
+```
+
+To determine when the blob was created, check the value of the **Created** property:
+
+```powershell
+$blob.ICloudBlob.Properties.IsServerEncrypted
+```
+
+### [Azure CLI](#tab/cli)
+
+To use Azure CLI to check whether a blob has been encrypted, check the blob's **IsServerEncrypted** property. Remember to replace placeholder values in angle brackets with your own values:
+
+```azurecli-interactive
+az storage blob show \
+    --account-name <storage-account> \
+    --container-name <container> \
+    --name <blob> \
+    --query "properties.serverEncrypted"
+```
+
+To determine when the blob was created, check the value of the **created** property.
+
+---
+
+### Force encryption of a blob
+
+If a blob that was created prior to October 20, 2017 has not yet been encrypted by the background process, you can force encryption to occur immediately by downloading and re-uploading the blob. A simple way to do this is with AzCopy.
+
+To download a blob to your local file system with AzCopy, use the following syntax:
+
+```
+azcopy copy 'https://<storage-account-name>.<blob or dfs>.core.windows.net/<container-name>/<blob-path>' '<local-file-path>'
+
+Example:
+azcopy copy 'https://storagesamples.blob.core.windows.net/sample-container/blob1.txt' 'C:\temp\blob1.txt'
+```
+
+To re-upload the blob to Azure Storage with AzCopy, use the following syntax:
+
+```
+azcopy copy '<local-file-path>' 'https://<storage-account-name>.<blob or dfs>.core.windows.net/<container-name>/<blob-name>'
+
+Example:
+azcopy copy 'C:\temp\blob1.txt' 'https://storagesamples.blob.core.windows.net/sample-container/blob1.txt'
+```
+
+For more information about using AzCopy to copy blob data, see [Transfer data with AzCopy and Blob storage](../common/storage-use-azcopy-blobs.md).
+
+## Next steps
+
+[Azure Storage encryption for data at rest](../common/storage-service-encryption.md)

articles/storage/blobs/storage-blob-encryption-status.md

@@ -99,19 +99,7 @@ The Azure Identity client library reads values from three environment variables
 
 For more information, see [Create identity for Azure app in portal](../../active-directory/develop/howto-create-service-principal-portal.md).
 
-## Install client library packages
-
-The examples in this article use the latest version of the Azure Storage client library for Blob storage. To install the package, run the following command from the NuGet package manager console:
-
-```powershell
-Install-Package Azure.Storage.Blobs
-```
-
-The examples in this article also use the latest version of the [Azure Identity client library for .NET](https://www.nuget.org/packages/Azure.Identity/) to authenticate with Azure AD credentials. To install the package, run the following command from the NuGet package manager console:
-
-```powershell
-Install-Package Azure.Identity
-```
+[!INCLUDE [storage-install-packages-blob-and-identity-include](../../../includes/storage-install-packages-blob-and-identity-include.md)]
 
 ## .NET code example: Create a block blob
 

articles/storage/common/media/storage-encryption-key-model-get/customer-managed-encryption-key-setting-portal.png

@@ -32,8 +32,13 @@ Each authorization option is briefly described below:
 
 - **Azure AD Domain Services (DS) integration (preview)** for files. Azure Files supports identity-based authentication over Server Message Block (SMB) through Azure AD DS. This provides RBAC for fine-grained control over a client's access to resources in a storage account. For more information regarding Azure AD integration for files using domain services, see [Overview of Azure Files Azure Active Directory Domain Service (AAD DS) Authentication Support for SMB Access (preview)](../files/storage-files-active-directory-overview.md).
 
-- **Shared Key authorization** for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](https://docs.microsoft.com/rest/api/storageservices/authenticate-with-shared-key/).
+- **Shared Key authorization** for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authenticate-with-shared-key/).
 - **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account. Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).
 - **Anonymous public read access** for containers and blobs. Authorization is not required. For more information, see [Manage anonymous read access to containers and blobs](../blobs/storage-manage-access-to-resources.md).  
 
-By default, all resources in Azure Storage are secured, and are available only to the account owner. Although you can use any of the authorization strategies outlined above to grant clients access to resources in your storage account, Microsoft recommends using Azure AD when possible for maximum security and ease of use. 
+By default, all resources in Azure Storage are secured, and are available only to the account owner. Although you can use any of the authorization strategies outlined above to grant clients access to resources in your storage account, Microsoft recommends using Azure AD when possible for maximum security and ease of use.
+
+## Next steps
+
+- [Azure Active Directory documentation](/azure/active-directory/)
+- [Evolution of Microsoft identity platform](/azure/active-directory/develop/about-microsoft-identity-platform)

articles/storage/common/storage-auth-aad-msi.md

@@ -0,0 +1,71 @@
+---
+title: Determine which encryption key model is in use for the storage account - Azure Storage
+description: Use Azure portal, PowerShell, or Azure CLI to check how encryption keys are being managed for the storage account. Keys may be managed by Microsoft (the default), or by the customer. Customer-managed keys must be stored in Azure Key Vault.
+services: storage
+author: tamram
+
+ms.service: storage
+ms.topic: how-to
+ms.date: 11/26/2019
+ms.author: tamram
+ms.reviewer: cbrooks
+ms.subservice: common
+---
+
+# Determine which Azure Storage encryption key model is in use for the storage account
+
+Data in your storage account is automatically encrypted by Azure Storage. Azure Storage encryption offers two options for managing encryption keys at the level of the storage account:
+
+- **Microsoft-managed keys.** By default, Microsoft manages the keys used to encrypt your storage account.
+- **Customer-managed keys.** You can optionally choose to manage encryption keys for your storage account. Customer-managed keys must be stored in Azure Key Vault.
+
+Additionally, you can provide an encryption key at the level of an individual request for some Blob storage operations. When an encryption key is specified on the request, that key overrides the encryption key that is active on the storage account. For more information, see [Specify a customer-provided key on a request to Blob storage](../blobs/storage-blob-customer-provided-key.md).
+
+For more information about encryption keys, see [Azure Storage encryption for data at rest](storage-service-encryption.md).
+
+## Check the encryption key model for the storage account
+
+To determine whether a storage account is using Microsoft-managed keys or customer-managed keys for encryption, use one of the following approaches.
+
+# [Azure portal](#tab/portal)
+
+To check the encryption model for the storage account by using the Azure portal, follow these steps:
+
+1. In the Azure portal, navigate to your storage account.
+1. Select the **Encryption** setting and note the setting.
+
+The following image shows a storage account where customer-managed keys are in use for encryption:
+
+![Screenshot showing encryption key setting in Azure portal](media/storage-encryption-key-model-get/customer-managed-encryption-key-setting-portal.png)
+
+# [PowerShell](#tab/powershell)
+
+To check the encryption model for the storage account by using PowerShell, call the [Get-AzStorageAccount](/powershell/module/az.storage/get-azstorageaccount) command, then check the **KeySource** property for the account.
+
+```powershell
+$account = Get-AzStorageAccount -ResourceGroupName <resource-group> `
+    -Name <storage-account>
+$account.Encryption.KeySource
+```
+
+If the value of the **KeySource** property is `Microsoft.Storage`, then the account is encrypted with Microsoft-managed keys. If the value of the **KeySource** property is `Microsoft.Keyvault`, then the account is encrypted with customer-managed keys.
+
+# [Azure CLI](#tab/cli)
+
+To check the encryption model for the storage account by using Azure CLI, call the [az storage account show](/cli/azure/storage/account#az-storage-account-show) command, then check the **keySource** property for the account.
+
+```azurecli-interactive
+key_source=$(az storage account show \
+    --name <storage-account> \
+    --resource-group <resource-group> \
+    --query encryption.keySource \
+    --output tsv)
+```
+
+If the value of the **keySource** property is `Microsoft.Storage`, then the account is encrypted with Microsoft-managed keys. If the value of the **keySource** property is `Microsoft.Keyvault`, then the account is encrypted with customer-managed keys.
+
+---
+
+## Next steps
+
+[Azure Storage encryption for data at rest](storage-service-encryption.md)

articles/storage/common/storage-auth.md

@@ -1,22 +1,22 @@
 ---
-title: Configure customer-managed keys for Azure Storage encryption from Azure CLI
-description: Learn how to use Azure CLI to configure customer-managed keys for Azure Storage encryption. Customer-managed keys enable you to create, rotate, disable, and revoke access controls.
+title: Configure customer-managed keys with Azure Key Vault by using Azure CLI - Azure Storage
+description: Learn how to use Azure CLI to configure customer-managed keys with Azure Key Vault for Azure Storage encryption. Customer-managed keys enable you to create, rotate, disable, and revoke access controls.
 services: storage
 author: tamram
 
 ms.service: storage
-ms.topic: conceptual
-ms.date: 10/15/2019
+ms.topic: how-to
+ms.date: 11/20/2019
 ms.author: tamram
 ms.reviewer: cbrooks
 ms.subservice: common
 ---
 
-# Configure customer-managed keys for Azure Storage encryption from Azure CLI
+# Configure customer-managed keys for Azure Storage by using Azure CLI
 
 [!INCLUDE [storage-encryption-configure-keys-include](../../../includes/storage-encryption-configure-keys-include.md)]
 
-This article shows how to configure a key vault with customer-managed keys using Azure CLI.
+This article shows how to configure an Azure Key Vault with customer-managed keys using Azure CLI. To learn how to create a key vault using  Azure CLI, see [Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI](../../key-vault/quick-create-cli.md).
 
 > [!IMPORTANT]
 > Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default. To enable these properties, use either PowerShell or Azure CLI.

articles/storage/common/storage-encryption-key-model-get.md

@@ -1,22 +1,22 @@
 ---
-title: Configure customer-managed keys for Azure Storage encryption from the Azure portal
-description: Learn how to use the Azure portal to configure customer-managed keys for Azure Storage encryption. Customer-managed keys enable you to create, rotate, disable, and revoke access controls.
+title: Configure customer-managed keys with Azure Key Vault by using the Azure portal - Azure Storage
+description: Learn how to use the Azure portal to configure customer-managed keys with Azure Key Vault for Azure Storage encryption. Customer-managed keys enable you to create, rotate, disable, and revoke access controls.
 services: storage
 author: tamram
 
 ms.service: storage
-ms.topic: article
-ms.date: 10/15/2019
+ms.topic: how-to
+ms.date: 11/20/2019
 ms.author: tamram
 ms.reviewer: cbrooks
 ms.subservice: common
 ---
 
-# Configure customer-managed keys for Azure Storage encryption from the Azure portal
+# Configure customer-managed keys for Azure Storage by using the Azure portal
 
 [!INCLUDE [storage-encryption-configure-keys-include](../../../includes/storage-encryption-configure-keys-include.md)]
 
-This article shows how to configure a key vault with customer-managed keys using the [Azure portal](https://portal.azure.com/). To learn how to create a key vault using the Azure portal, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../../key-vault/quick-create-portal.md). 
+This article shows how to configure an Azure Key Vault with customer-managed keys using the [Azure portal](https://portal.azure.com/). To learn how to create a key vault using the Azure portal, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../../key-vault/quick-create-portal.md).
 
 > [!IMPORTANT]
 > Using customer-managed keys with Azure Storage encryption requires that two properties be set on the key vault, **Soft Delete** and **Do Not Purge**. These properties are not enabled by default. To enable these properties, use either PowerShell or Azure CLI.