Merge pull request #228462 from jimmart-dev/jammart-storage-cmk-auto-update-key-impact

storage cmk auto update key no perf impact

Author: v-regandowner

articles/storage/common/customer-managed-keys-configure-existing-account.md

@@ -7,11 +7,11 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 12/13/2022
+ms.date: 03/09/2023
 ms.author: tamram
 ms.reviewer: ozgun
 ms.subservice: common 
-ms.custom: devx-track-azurepowershell, devx-track-azurecli
+ms.custom: devx-track-azurepowershell, devx-track-azurecli, engagement-fy23
 ---
 
 # Configure customer-managed keys in an Azure key vault for an existing storage account
@@ -109,6 +109,8 @@ az role assignment create --assignee-object-id $principalId \
 
 When you configure encryption with customer-managed keys for an existing storage account, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault. Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.
 
+When the key version is changed, whether automatically or manually, the protection of the root encryption key changes, but the data in your Azure Storage account remains encrypted at all times. There is no additional action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance. There is no downtime associated with rotating the key version.
+
 You can use either a system-assigned or user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys for an existing storage account.
 
 > [!NOTE]
@@ -269,10 +271,18 @@ When you manually update the key version, you'll need to update the storage acco
 
 ---
 
+## The impact of changing customer-managed keys
+
+When customer-managed keys are enabled or disabled, or the key or key version is changed, the protection of the root encryption key changes, but the data in your Azure Storage account remains encrypted at all times. There is no additional action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance. There is no downtime associated with rotating the key version.
+
 [!INCLUDE [storage-customer-managed-keys-change-include](../../../includes/storage-customer-managed-keys-change-include.md)]
 
+If the new key is in a different key vault, you must [grant the managed identity access to the key in the new vault](#choose-a-managed-identity-to-authorize-access-to-the-key-vault). If you choose manual updating of the key version, you will also need to [update the key vault URI](#configure-encryption-for-manual-updating-of-key-versions).
+
 [!INCLUDE [storage-customer-managed-keys-revoke-include](../../../includes/storage-customer-managed-keys-revoke-include.md)]
 
+Disabling the key will cause attempts to access data in the storage account to fail with error code 403 (Forbidden). For a list of storage account operations that will be affected by disabling the key, see [Revoke access to a storage account that uses customer-managed keys](customer-managed-keys-overview.md#revoke-access-to-a-storage-account-that-uses-customer-managed-keys).
+
 [!INCLUDE [storage-customer-managed-keys-disable-include](../../../includes/storage-customer-managed-keys-disable-include.md)]
 
 ## Next steps

articles/storage/common/customer-managed-keys-configure-new-account.md

@@ -7,7 +7,7 @@ author: tamram
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 09/29/2022
+ms.date: 03/09/2023
 ms.author: tamram
 ms.reviewer: ozgun
 ms.subservice: common 
@@ -195,8 +195,12 @@ When you manually update the key version, you'll need to update the storage acco
 
 [!INCLUDE [storage-customer-managed-keys-change-include](../../../includes/storage-customer-managed-keys-change-include.md)]
 
+If the new key is in a different key vault, you must [grant the managed identity access to the key in the new vault](#use-a-user-assigned-managed-identity-to-authorize-access-to-the-key-vault). If you choose manual updating of the key version, you will also need to [update the key vault URI](#configure-encryption-for-manual-updating-of-key-versions).
+
 [!INCLUDE [storage-customer-managed-keys-revoke-include](../../../includes/storage-customer-managed-keys-revoke-include.md)]
 
+Disabling the key will cause attempts to access data in the storage account to fail with error code 403 (Forbidden). For a list of storage account operations that will be affected by disabling the key, see [Revoke access to a storage account that uses customer-managed keys](customer-managed-keys-overview.md#revoke-access-to-a-storage-account-that-uses-customer-managed-keys).
+
 [!INCLUDE [storage-customer-managed-keys-disable-include](../../../includes/storage-customer-managed-keys-disable-include.md)]
 
 ## Next steps

articles/storage/common/customer-managed-keys-overview.md

@@ -6,7 +6,7 @@ services: storage
 author: tamram
 
 ms.service: storage
-ms.date: 12/13/2022
+ms.date: 03/09/2023
 ms.topic: conceptual
 ms.author: tamram
 ms.reviewer: ozgun
@@ -62,7 +62,7 @@ Data in Blob storage and Azure Files is always protected by customer-managed key
 
 ## Enable customer-managed keys for a storage account
 
-When you configure a customer-managed key, Azure Storage wraps the root data encryption key for the account with the customer-managed key in the associated key vault or managed HSM. Enabling customer-managed keys doesn't impact performance, and takes effect immediately.
+When you configure a customer-managed key, Azure Storage wraps the root data encryption key for the account with the customer-managed key in the associated key vault or managed HSM. Enabling customer-managed keys takes effect immediately and doesn't impact performance.
 
 You can configure customer-managed keys with the key vault and storage account in the same tenant or in different Azure AD tenants. To learn how to configure Azure Storage encryption with customer-managed keys when the key vault and storage account are in the same tenants, see one of the following articles:
 
@@ -74,7 +74,7 @@ To learn how to configure Azure Storage encryption with customer-managed keys wh
 - [Configure cross-tenant customer-managed keys for a new storage account](customer-managed-keys-configure-cross-tenant-new-account.md)
 - [Configure cross-tenant customer-managed keys for an existing storage account](customer-managed-keys-configure-cross-tenant-existing-account.md)
 
-When you enable or disable customer-managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account doesn't need to be re-encrypted.
+When you enable or disable customer-managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account remains encrypted at all times. There is no additional action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance. There is no downtime associated with rotating the key version.
 
 You can enable customer-managed keys on both new and existing storage accounts. When you enable customer-managed keys, you must specify a managed identity to be used to authorize access to the key vault that contains the key. The managed identity may be either a user-assigned or system-assigned managed identity:
 
@@ -106,14 +106,14 @@ When you configure encryption with customer-managed keys, you have two options f
 
     When the key version is explicitly specified, then you must manually update the storage account to use the new key version URI when a new version is created. To learn how to update the storage account to use a new version of the key, see [Configure encryption with customer-managed keys stored in Azure Key Vault](customer-managed-keys-configure-key-vault.md) or [Configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM](customer-managed-keys-configure-key-vault-hsm.md).
 
-When you update the key version, the protection of the root encryption key changes, but the data in your Azure Storage account isn't re-encrypted. There's no further action required from the user.
+When you enable or disable customer-managed keys, or when you modify the key or the key version, the protection of the root encryption key changes, but the data in your Azure Storage account remains encrypted at all times. There is no additional action required on your part to ensure that your data is protected. Rotating the key version doesn't impact performance. There is no downtime associated with rotating the key version.
 
 > [!NOTE]
-> To rotate a key, create a new version of the key in the key vault or managed HSM, according to your compliance policies. You can rotate your key manually or create a function to rotate it on a schedule.
+> To rotate a key, create a new version of the key in the key vault or managed HSM, according to your compliance policies. Azure Storage does not handle key rotation, so you will need to manage rotation of the key in the key vault. You can [rotate your keys manually](customer-managed-keys-configure-existing-account.md#configure-encryption-for-manual-updating-of-key-versions) or [configure them to rotate automatically](customer-managed-keys-configure-existing-account.md#configure-encryption-for-automatic-updating-of-key-versions).
 
-## Revoke access to customer-managed keys
+## Revoke access to a storage account that uses customer-managed keys
 
-You can revoke the storage account's access to the customer-managed key at any time. After access to customer-managed keys is revoked, or after the key has been disabled or deleted, clients can't call operations that read from or write to a blob or its metadata. Attempts to call any of the following operations will fail with error code 403 (Forbidden) for all users:
+To revoke access to a storage account that uses customer-managed keys, disable the key that is currently being used. To learn how to disable a key in the Azure key vault, see [The impact of changing customer-managed keys](customer-managed-keys-configure-existing-account.md#the-impact-of-changing-customer-managed-keys). After the key has been disabled, clients can't call operations that read from or write to a blob or its metadata. Attempts to call any of the following operations will fail with error code 403 (Forbidden) for all users:
 
 - [List Blobs](/rest/api/storageservices/list-blobs), when called with the `include=metadata` parameter on the request URI
 - [Get Blob](/rest/api/storageservices/get-blob)

articles/storage/common/media/customer-managed-keys-configure-common/portal-disable-customer-managed-keys.png

@@ -5,9 +5,9 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 08/22/2022
+ms.date: 03/09/2023
 ms.author: tamram
-ms.custom: "include file"
+ms.custom: "include file", engagement-fy23
 ---
 
 ## Change the key

articles/storage/common/media/customer-managed-keys-configure-common/portal-enable-microsoft-managed-keys.png

@@ -5,25 +5,28 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 08/22/2022
+ms.date: 03/10/2023
 ms.author: tamram
 ms.custom: "include file"
 ---
 
-## Disable customer-managed keys
+## Switch back to Microsoft-managed keys
 
-When you disable customer-managed keys, your storage account is once again encrypted with Microsoft-managed keys.
+You can switch from customer-managed keys back to Microsoft-managed keys at any time, using the Azure portal, PowerShell, or the Azure CLI.
 
 # [Azure portal](#tab/azure-portal)
 
-To disable customer-managed keys in the Azure portal, follow these steps:
+To switch from customer-managed keys back to Microsoft-managed keys in the Azure portal, follow these steps:
 
-1. Navigate to your storage account and display the **Encryption** settings.
-1. Deselect the checkbox next to the **Use your own key** setting.
+1. Navigate to your storage account.
+1. Under **Security + networking**, select **Encryption**.
+1. Change **Encryption type** to **Microsoft-managed keys**.
+
+    :::image type="content" source="../articles/storage/common/media/customer-managed-keys-configure-common/portal-enable-microsoft-managed-keys.png" alt-text="Screenshot showing how to switch to Microsoft-managed keys for a storage account.":::
 
 # [PowerShell](#tab/azure-powershell)
 
-To disable customer-managed keys with PowerShell, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) with the `-StorageEncryption` option, as shown in the following example. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+To switch from customer-managed keys back to Microsoft-managed keys with PowerShell, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) with the `-StorageEncryption` option, as shown in the following example. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
 
 ```azurepowershell
 Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `
@@ -33,7 +36,7 @@ Set-AzStorageAccount -ResourceGroupName $storageAccount.ResourceGroupName `
 
 # [Azure CLI](#tab/azure-cli)
 
-To disable customer-managed keys with Azure CLI, call [az storage account update](/cli/azure/storage/account#az-storage-account-update) and set the `--encryption-key-source parameter` to `Microsoft.Storage`, as shown in the following example. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+To switch from customer-managed keys back to Microsoft-managed keys with Azure CLI, call [az storage account update](/cli/azure/storage/account#az-storage-account-update) and set the `--encryption-key-source parameter` to `Microsoft.Storage`, as shown in the following example. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
 
 ```azurecli
 az storage account update

includes/storage-customer-managed-keys-change-include.md

@@ -5,36 +5,62 @@ services: storage
 author: tamram
 ms.service: storage
 ms.topic: "include"
-ms.date: 08/22/2022
+ms.date: 03/10/2023
 ms.author: tamram
 ms.custom: "include file"
 ---
 
-## Revoke customer-managed keys
+## Revoke access to a storage account that uses customer-managed keys
 
-Revoking a customer-managed key removes the association between the storage account and the key vault.
+To temporarily revoke access to a storage account that is using customer-managed keys, disable the key currently being used in the key vault.
 
 # [Azure portal](#tab/azure-portal)
 
-To revoke customer-managed keys with the Azure portal, disable the key as described in [Disable customer-managed keys](#disable-customer-managed-keys).
+To disable a customer-managed key with the Azure portal, follow these steps:
+
+1. Navigate to the key vault that contains the key.
+1. Under **Objects**, select **Keys**.
+1. Right-click the key and select **Disable**.
+
+    :::image type="content" source="../articles/storage/common/media/customer-managed-keys-configure-common/portal-disable-customer-managed-keys.png" alt-text="Screenshot showing how to disable a customer-managed key in the key vault.":::
 
 # [PowerShell](#tab/azure-powershell)
 
-You can revoke customer-managed keys by removing the key vault access policy. To revoke a customer-managed key with PowerShell, call the [Remove-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/remove-azkeyvaultaccesspolicy) command, as shown in the following example. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+To revoke a customer-managed key with PowerShell, call the [Update-AzKeyVaultKey](/powershell/module/az.keyvault/update-azkeyvaultkey) command, as shown in the following example. Remember to replace the placeholder values in brackets with your own values to define the variables, or use the variables defined in the previous examples.
 
 ```azurepowershell
-Remove-AzKeyVaultAccessPolicy -VaultName $keyVault.VaultName `
-    -ObjectId $storageAccount.Identity.PrincipalId `
+$kvName  = "<key-vault-name>"
+$keyName = "<key-name>"
+$enabled = $false
+# $false to disable the key / $true to enable it
+
+# Check the current state of the key (before and after enabling/disabling it)
+Get-AzKeyVaultKey -Name $keyName -VaultName $kvName
+
+# Disable (or enable) the key
+Update-AzKeyVaultKey -VaultName $kvName -Name $keyName -Enable $enabled
 ```
 
 # [Azure CLI](#tab/azure-cli)
 
-You can revoke customer-managed keys by removing the key vault access policy. To revoke a customer-managed key with Azure CLI, call the [az keyvault delete-policy](/cli/azure/keyvault#az-keyvault-delete-policy) command, as shown in the following example. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.
+To revoke a customer-managed key with Azure CLI, call the [az keyvault key set-attributes](/cli/azure/keyvault/key#az-keyvault-key-set-attributes) command, as shown in the following example. Remember to replace the placeholder values in brackets with your own values to define the variables, or use the variables defined in the previous examples.
 
 ```azurecli
-az keyvault delete-policy \
-    --name <key-vault> \
-    --object-id $storage_account_principal
+kvName="<key-vault-name>"
+keyName="<key-name>"
+enabled="false"
+# "false" to disable the key / "true" to enable it:
+
+# Check the current state of the key (before and after enabling/disabling it)
+az keyvault key show \
+    --vault-name $kvName \
+    --name $keyName
+
+# Disable (or enable) the key
+az keyvault key set-attributes \
+    --vault-name $kvName \
+    --name $keyName \
+    --enabled $enabled
 ```
 
 ---