You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/blobs/encryption-scope-manage.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: storage
6
6
author: jimmart-dev
7
7
8
8
ms.service: storage
9
-
ms.date: 10/27/2022
9
+
ms.date: 03/10/2023
10
10
ms.topic: conceptual
11
11
ms.author: jammart
12
12
ms.reviewer: ozgun
@@ -23,7 +23,7 @@ This article shows how to create an encryption scope. It also shows how to speci
23
23
24
24
## Create an encryption scope
25
25
26
-
You can create an encryption scope that is protected with a Microsoft-managed key or with a customer-managed key that is stored in an Azure Key Vault or in an Azure Key Vault Managed Hardware Security Model (HSM). To create an encryption scope with a customer-managed key, you must first create a key vault or managed HSM and add the key you intend to use for the scope. The key vault or managed HSM must have purge protection enabled and must be in the same region as the storage account.
26
+
You can create an encryption scope that is protected with a Microsoft-managed key or with a customer-managed key that is stored in an Azure Key Vault or in an Azure Key Vault Managed Hardware Security Model (HSM). To create an encryption scope with a customer-managed key, you must first create a key vault or managed HSM and add the key you intend to use for the scope. The key vault or managed HSM must have purge protection enabled. The storage account and key vault can be in different regions.
27
27
28
28
An encryption scope is automatically enabled when you create it. After you create the encryption scope, you can specify it when you create a blob. You can also specify a default encryption scope when you create a container, which automatically applies to all blobs in the container.
29
29
@@ -38,7 +38,7 @@ To create an encryption scope in the Azure portal, follow these steps:
38
38
1. In the **Create Encryption Scope** pane, enter a name for the new scope.
39
39
1. Select the desired type of encryption key support, either **Microsoft-managed keys** or **Customer-managed keys**.
40
40
- If you selected **Microsoft-managed keys**, click **Create** to create the encryption scope.
41
-
- If you selected **Customer-managed keys**, then select a subscription and specify a key vault or a managed HSM and a key to use for this encryption scope.
41
+
- If you selected **Customer-managed keys**, then select a subscription and specify a key vault and a key to use for this encryption scope. If the desired key vault is in a different region, select **Enter key URI** and specify the key URI.
42
42
1. If infrastructure encryption is enabled for the storage account, then it will automatically be enabled for the new encryption scope. Otherwise, you can choose whether to enable infrastructure encryption for the encryption scope.
43
43
44
44
:::image type="content" source="media/encryption-scope-manage/create-encryption-scope-customer-managed-key-portal.png" alt-text="Screenshot showing how to create encryption scope in Azure portal" lightbox="media/encryption-scope-manage/create-encryption-scope-customer-managed-key-portal.png":::
To create a new encryption scope that is protected by customer-managed keys stored in a key vault or managed HSM, first configure customer-managed keys for the storage account. You must assign a managed identity to the storage account and then use the managed identity to configure the access policy for the key vault or managed HSM so that the storage account has permissions to access it.
72
72
73
-
To configure customer-managed keys for use with an encryption scope, purge protection must be enabled on the key vault or managed HSM. The key vault or managed HSM must be in the same region as the storage account.
73
+
To configure customer-managed keys for use with an encryption scope, purge protection must be enabled on the key vault or managed HSM. The key vault or managed HSM can be in a different region from the storage account.
74
74
75
75
Remember to replace the placeholder values in the example with your own values:
76
76
@@ -131,7 +131,7 @@ az storage account encryption-scope create \
131
131
132
132
To create a new encryption scope that is protected by customer-managed keys in a key vault or managed HSM, first configure customer-managed keys for the storage account. You must assign a managed identity to the storage account and then use the managed identity to configure the access policy for the key vault so that the storage account has permissions to access it. For more information, see [Customer-managed keys for Azure Storage encryption](../common/customer-managed-keys-overview.md).
133
133
134
-
To configure customer-managed keys for use with an encryption scope, purge protection must be enabled on the key vault or managed HSM. The key vault or managed HSM must be in the same region as the storage account.
134
+
To configure customer-managed keys for use with an encryption scope, purge protection must be enabled on the key vault or managed HSM. The key vault or managed HSM can be in a different region from the storage account.
135
135
136
136
Remember to replace the placeholder values in the example with your own values:
0 commit comments