Storage Accounts for critical data should be encrypted with Customer Managed Keys¶
Although Storage Accounts are encrypted by default with Microsoft-managed keys, customer-managed keys provide additional security controls. Users can choose when to rotate their keys per compliance and security requirements, and provide users with a means to prevent Azure from accessing their data by disabling keys.
Navigate to Storage Accounts.
For each storage account, go to Encryption.
Set Encryption type to Customer-managed keys.
Use option Select from key vault or Enter key URI to set up encryption with your own key.
To encrypt a storage account with a customer-managed key:
az storage account update --name <storage account name> --resource-group <resource group name> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>