You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/blobs/encryption-customer-provided-keys.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
---
2
2
title: Provide an encryption key on a request to Blob storage
3
3
titleSuffix: Azure Storage
4
-
description: Clients making requests against Azure Blob storage have the option to provide an encryption key on a per-request basis. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations.
4
+
description: Clients making requests against Azure Blob storage can provide an encryption key on a per-request basis. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations.
5
5
services: storage
6
6
author: tamram
7
7
8
8
ms.service: storage
9
-
ms.date: 12/14/2020
9
+
ms.date: 05/09/2022
10
10
ms.topic: conceptual
11
11
ms.author: tamram
12
12
ms.reviewer: ozgun
@@ -15,21 +15,23 @@ ms.subservice: common
15
15
16
16
# Provide an encryption key on a request to Blob storage
17
17
18
-
Clients making requests against Azure Blob storage have the option to provide an AES-256 encryption key on a per-request basis. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys can be stored in Azure Key Vault or in another key store.
18
+
Clients making requests against Azure Blob storage can provide an AES-256 encryption key to encrypt that blob on a write operation. Subsequent requests to read or write to the blob must include the same key. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys can be stored in Azure Key Vault or in another key store.
19
19
20
20
## Encrypting read and write operations
21
21
22
22
When a client application provides an encryption key on the request, Azure Storage performs encryption and decryption transparently while reading and writing blob data. Azure Storage writes an SHA-256 hash of the encryption key alongside the blob's contents. The hash is used to verify that all subsequent operations against the blob use the same encryption key.
23
23
24
-
Azure Storage does not store or manage the encryption key that the client sends with the request. The key is securely discarded as soon as the encryption or decryption process is complete.
24
+
Azure Storage doesn't store or manage the encryption key that the client sends with the request. The key is securely discarded as soon as the encryption or decryption process is complete.
25
25
26
-
When a client creates or updates a blob using a customer-provided key on the request, then subsequent read and write requests for that blob must also provide the key. If the key is not provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).
26
+
When a client creates or updates a blob using a customer-provided key on the request, then subsequent read and write requests for that blob must also provide the key. If the key isn't provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).
27
27
28
28
If the client application sends an encryption key on the request, and the storage account is also encrypted using a Microsoft-managed key or a customer-managed key, then Azure Storage uses the key provided on the request for encryption and decryption.
29
29
30
30
To send the encryption key as part of the request, a client must establish a secure connection to Azure Storage using HTTPS.
31
31
32
-
Each blob snapshot can have its own encryption key.
32
+
Each blob snapshot or blob version can have its own encryption key.
33
+
34
+
Object replication isn't supported for blobs in the source account that are encrypted with a customer-provided key.
33
35
34
36
## Request headers for specifying customer-provided keys
35
37
@@ -63,7 +65,7 @@ The following Blob storage operations support sending customer-provided encrypti
63
65
64
66
## Rotate customer-provided keys
65
67
66
-
To rotate an encryption key that was used to encrypt a blob, download the blob and then re-upload it with the new encryption key.
68
+
To rotate an encryption key that was used to encrypt a blob, download the blob and then reupload it with the new encryption key.
67
69
68
70
> [!IMPORTANT]
69
71
> The Azure portal cannot be used to read from or write to a container or blob that is encrypted with a key provided on the request.
@@ -72,7 +74,7 @@ To rotate an encryption key that was used to encrypt a blob, download the blob a
72
74
73
75
## Feature support
74
76
75
-
This table shows how this feature is supported in your account and the impact on support when you enable certain capabilities.
77
+
This table shows how this feature is supported in your account and the effect on that support when you enable certain capabilities.
76
78
77
79
| Storage account type | Blob Storage (default support) | Data Lake Storage Gen2 <sup>1</sup> | NFS 3.0 <sup>1</sup> | SFTP <sup>1</sup> |
0 commit comments