0

I'm using Azure to store customer data. In a specific country, there are multiple partners. Each partner has his clients. The issue is they don't want us to have access to this data. In other words, the only one who can access the data is the partner and the client. So I'm thinking of using a master key for each partner but I'm not if not the best approach.

My idea is to create 2 layers of encryption:

Client App Azure storage Partner Client
encrypt data (only client and partner can opened) encrypt data with Microsoft encyption Get the data Can get his data

At this step I'm blocked in the first step where how can I encrypt the data without storing the encryption key of partner(s).

Do you have any suggestions?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Houssem Ben Dhaou
  • 1
  • 1

1 Answers1

1

You can use Azure Key Vault in conjunction with Azure Blob Storage enabled with customer-managed key to meet this requirement. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.

CMK flow

The following list explains the numbered steps in the diagram:

  1. An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
  2. An Azure Storage admin configures encryption with a customer-managed key for the storage account.
  3. Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
  4. Azure Storage wraps the account encryption key with the customer key in Azure Key Vault.
  5. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview

Ken W MSFT
  • 149
  • 4
  • I was thinking of creating one storage for this country and use encryption scope for each partner [link](https://docs.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage) but my only issue is how to prevent me from showing these containers in Azure portal. In another words, is there a config in keyvault to do that. – Houssem Ben Dhaou May 13 '21 at 21:03
  • Just so I am following, you are saying you will create one storage account in let's say US East with containers in it for each partner (partner A,B, & C). When partner A logs on to the portal you only want them to see the storage account in US East and container A only, is that correct? If so then you will want to look at SAS, https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell – Ken W MSFT May 14 '21 at 01:22