|
1 | 1 | --- |
2 | | -title: Configure customer-managed keys for encrypting your application source at rest |
3 | | -description: Encrypt your application data in Azure Storage and deploy using Run From Package. |
| 2 | +title: Encrypt your application source at rest |
| 3 | +description: Encrypt your application data in Azure Storage and deploy it as a package file. |
4 | 4 | ms.topic: article |
5 | 5 | ms.date: 03/06/2020 |
6 | 6 | --- |
7 | 7 |
|
8 | 8 | # Encryption at rest using customer-managed keys |
9 | 9 |
|
10 | | -Encrypting your Webapp's application data at rest requires an Azure Storage Account and an Azure Key Vault. These services will be used in conjunction with Run From Package. |
| 10 | +Encrypting your web app's application data at rest requires an Azure Storage Account and an Azure Key Vault. These services are used when you run your app from a deployment package. |
11 | 11 |
|
12 | | - - [Azure Storage provides Encryption at Rest](https://docs.microsoft.com/azure/storage/common/storage-service-encryption). You can use system-provided keys or your own, customer-managed keys. This is where your application data will be stored when it is not running in an Azure Webapp. |
13 | | - - [Run From Package]((https://docs.microsoft.com/azure/app-service/deploy-run-package)) is a deployment feature of App Service. It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL. |
14 | | - - [Key Vault References](https://docs.microsoft.com/azure/app-service/app-service-key-vault-reference) are a security feature of App Service. It allows you to import secrets at runtime as app settings. This will be used to encrypt the SAS URL of your Azure Storage Account. |
| 12 | + - [Azure Storage provides encryption at rest](../storage/common/storage-service-encryption.md). You can use system-provided keys or your own, customer-managed keys. This is where your application data is stored when it's not running in a web app in Azure. |
| 13 | + - [Running from a deployment package](deploy-run-package.md) is a deployment feature of App Service. It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL. |
| 14 | + - [Key Vault references](app-service-key-vault-reference.md) are a security feature of App Service. It allows you to import secrets at runtime as app settings. Use this to encrypt the SAS URL of your Azure Storage Account. |
15 | 15 |
|
16 | 16 | ## Create an Azure Storage account |
17 | 17 |
|
18 | | -First, follow [these instructions](https://docs.microsoft.com/azure/storage/common/storage-service-encryption#customer-managed-keys-with-azure-key-vault) to create an Azure Storage Account and encrypt it with Customer Managed Keys. Once the Storage Account is created, use the [Azure Storage Explorer](https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer) to upload package files. |
| 18 | +First, follow [these instructions](../storage/common/storage-service-encryption.md#customer-managed-keys-with-azure-key-vault) to create an Azure Storage account and encrypt it with customer managed keys. Once the storage account is created, use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files. |
19 | 19 |
|
20 | | -Next, use the Storage Explorer to [generate a Shared Access Signature](https://docs.microsoft.com/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows#generate-a-sas-in-storage-explorer) (SAS). Save this SAS URL, this will later be used to enable the App Service runtime to access the package securely. |
| 20 | +Next, use the Storage Explorer to [generate an SAS](../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#generate-a-sas-in-storage-explorer). Save this SAS URL, this is used later to enable secure access of the deployment package at runtime. |
21 | 21 |
|
22 | | -## Configure Run From Package with your storage account |
| 22 | +## Configure running from a package from your storage account |
23 | 23 |
|
24 | 24 | Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` app setting to the SAS URL. The following example does it by using Azure CLI: |
25 | 25 |
|
26 | 26 | ``` |
27 | 27 | az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_RUN_FROM_PACKAGE="<your-SAS-URL>" |
28 | 28 | ``` |
29 | 29 |
|
30 | | -Adding this app setting will cause your Webapp to restart. Once the Webapp has restarted, browse to it to ensure the application has correctly started with the package in the Storage Account. If the application does not start correctly, see the [Run From Package troubleshooting guide](https://docs.microsoft.com/azure/app-service/deploy-run-package#troubleshooting). |
| 30 | +Adding this app setting causes your web app to restart. After the app has restarted, browse to it and make sure that the app has started correctly using the deployment package. If the application didn't start correctly, see the [Run from package troubleshooting guide](deploy-run-package.md#troubleshooting). |
31 | 31 |
|
32 | | -## Encrypt the application setting using Key Vault References |
| 32 | +## Encrypt the application setting using Key Vault references |
33 | 33 |
|
34 | | -Now we will replace the value for `WEBSITE_RUN_FROM_PACKAGE` with a Key Vault reference to the SAS-encoded URL. This will keep the SAS URL encrypted in Key Vault, providing an extra layer of security. |
| 34 | +Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application setting with a Key Vault reference to the SAS-encoded URL. This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security. |
35 | 35 |
|
36 | | -1. Create an Azure Key Vault. |
| 36 | +1. Use the following [`az keyvault create`](/cli/azure/keyvault#az-keyvault-create) command to create a Key Vault instance. |
37 | 37 |
|
38 | 38 | ```azurecli |
39 | 39 | az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus |
40 | 40 | ``` |
41 | 41 |
|
42 | | -1. Follow these instructions to [grant your app access](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references#granting-your-app-access-to-key-vault) to Key Vault. |
| 42 | +1. Follow [these instructions to grant your app access](app-service-key-vault-references.md#granting-your-app-access-to-key-vault) to your key vault: |
43 | 43 |
|
44 | | -1. Add your external URL as a secret in Key Vault. |
| 44 | +1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az-keyvault-secret-set) command to add your external URL as a secret in your key vault: |
45 | 45 |
|
46 | 46 | ```azurecli |
47 | 47 | az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>" |
48 | 48 | ``` |
49 | 49 |
|
50 | | -1. Create the `WEBSITE_RUN_FROM_PACKAGE` app setting and set the value as a Key Vault Reference to the external URL. |
| 50 | +1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command to create the `WEBSITE_RUN_FROM_PACKAGE` app setting with the value as a Key Vault reference to the external URL: |
51 | 51 |
|
52 | 52 | ```azurecli |
53 | 53 | az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>" |
54 | 54 | ``` |
55 | 55 |
|
56 | | -Updating this app setting will cause your Webapp to restart. Once the webapp has restarted, browse to it to ensure it has started correctly with the Key Vault reference. |
| 56 | +Updating this app setting causes your web app to restart. After the app has restarted, browse to it make sure it has started correctly using the Key Vault reference. |
57 | 57 |
|
58 | 58 | ## Summary |
59 | 59 |
|
60 | | -Your application files are now encrypted at rest in Azure Storage. When your Webapp starts, it wil retrieve the SAS URL from Azure Key Vault. Finally, the Webapp will load the application files from Azure Storage. |
| 60 | +Your application files are now encrypted at rest in your storage account. When your web app starts, it retrieves the SAS URL from your key vault. Finally, the web app loads the application files from storage. |
61 | 61 |
|
62 | | -If you want to revoke the Webapp's access to your data, you can either revoke access to the Key Vault or rotate the storage account keys, which will invalidate SAS URL. |
| 62 | +If you need to revoke the web app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL. |
63 | 63 |
|
64 | 64 | ## Frequently Asked Questions |
65 | 65 |
|
66 | | -### Is there any additional charge for using Run From Package? |
| 66 | +### Is there any additional charge for running my web app from the deployment package? |
67 | 67 |
|
68 | 68 | Only the cost associated with the Azure Storage Account and any applicable egress charges. |
69 | 69 |
|
70 | | -### How does Run From Package affect my Webapp? |
| 70 | +### How does running from the deployment package affect my web app? |
71 | 71 |
|
72 | | -- Using Run From Package makes `wwwroot/` read-only. Your app will receive an error if it attempts to write to this directory. |
| 72 | +- Running your app from the deployment package makes `wwwroot/` read-only. Your app receives an error when it attempts to write to this directory. |
73 | 73 | - TAR and GZIP formats are not supported. |
74 | 74 | - This feature is not compatible with local cache. |
75 | 75 |
|
|
0 commit comments