Leveraging Customer Managed Keys with Azure NetApp Files for Enhanced Security

Data security is one of the most critical concerns for organisations as they move to the cloud. Microsoft Azure provides various storage services, and Azure NetApp Files (ANF) is one of those.

Azure NetApp Files is a fully managed cloud service that provides enterprise-grade NFS and SMB file shares. It offers various features to secure data, such as encryption, access control, and customer-managed keys. In this article, we will discuss using customer-managed keys with Azure Key Vault and Azure NetApp Files.

What are customer-managed keys?

Customer-managed keys (CMK) are encryption keys that are created and managed by the customer instead of being managed by Azure. With CMK, customers can have more control over their data and ensure that their data is encrypted with their own keys. Customer-managed keys can be used to encrypt Azure NetApp Files and other Azure services.

What is Azure Key Vault?

Azure Key Vault is a cloud service that provides a secure store for keys, secrets, and certificates. It enables customers to store and manage cryptographic keys used for data encryption. Azure Key Vault provides a highly available and scalable service that can be accessed from anywhere in the world over HTTPS. It also offers granular access control to ensure that only authorised users can access the keys.

Key considerations
  • CMK for ANF is currently in Public Preview
  • Only available in a limited set of regions. Link to those supported regions here
  • CMK requires Standard Network Features to be available in region
  • CMK is currently only available with New Volumes
  • Private endpoints with CMK do not support disable public access
  • Network Security Groups (NSGs) are not support on the private link subnet for CMK
  • Cross Region replication (CRR) or Cross Zone Replication (CZR) do not support CMK for data protection volumes
  • Azure Key Vault with at least one key available
  • The Key must be of the type RSA
  • A private endpoint for the Key Vault
  • The private endpoint needs to be in a different subnet to the ANF delegated subnet
  • The private endpoint subnet needs to be in the same VNet as the ANF delegated subnet
Registering the Resource Provider

Currently, CMK for ANF is in Public Preview. You need to register for access to the feature in Azure. To register, submit a wait-list request via the form on the Microsoft site. You can find that form here

Registration can take approximately one week to complete. To check the status of the resource provider, run the following command:

Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAzureKeyVaultEncryption

Once the command returns Registered, you are good to go.

FeatureName                ProviderName     RegistrationState
-----------                ------------     -----------------
ANFAzureKeyVaultEncryption Microsoft.NetApp Registered

Are are some key considerations when deploying Customer Managed Keys

How to use customer-managed keys with Azure NetApp Files

To use Azure NetApp Files customer-managed keys with Azure Key Vault and private endpoints, follow the steps below:

Step 1: Create a key vault

The first step is to create an Azure Key Vault. To create a key vault, follow the steps below:

  1. Go to the Azure portal and sign in.
  2. Click on “Create a resource” and search for “Key Vault.”
  3. Select “Key Vault” from the search results and click on “Create.”
  4. Fill in the required information, such as the name, subscription, resource group, and region.
  5. Click on “Review + create” and then click on “Create.”

Step 2: Create a key in Azure Key Vault

The second step is to create a key in Azure Key Vault. To create a key, follow the steps below:

  1. Go to the Azure portal and sign in.
  2. Navigate to the Azure Key Vault you created in step 1.
  3. Click on “Keys” and then click on “Generate/Import.”
  4. Fill in the required information, such as the name and key type.
  5. Click on “Create” to create the key.

Step 3: Create private endpoint for Azure Key Vault

The third step is to enable private endpoints in Azure NetApp Files. To enable private endpoints, follow the steps below:

  1. Go to the Azure portal and sign in.
  2. Navigate private endpoints in the portal.
  3. Click on “Create”
  4. Fill in the required information, such as the resource group, Subscription, name, NIC name and region.
  5. Select “Microsoft.KeyVault” as resource type.
  6. Select the Azure Key Vault you created in step 1.
  7. Choose the VNet and subnet for the private endpoint to use.
  8. Leave the DNS as default.
  9. Add tags as required.
  10. Click on “Review + create” and then click on “Create.”

Step 4: Enable customer-managed keys in Azure NetApp Files

The fourth step is to enable customer-managed keys in Azure NetApp Files. To enable customer-managed keys, follow the steps below:

  1. Go to the Azure portal and sign in.
  2. Navigate to the Azure NetApp Files resource you want to enable customer-managed keys on.
  3. Click on “Encryption” and then click on “Customer-managed keys.”
  4. Enter the Key URI or choose Select from Key Vault
  5. Next, choose either System-assigned or user-assigned Identity. The default is System-assigned.
  6. Click Save

Step 5: Create your volume with CMK

  1. Go to the Azure portal and sign in.
  2. Browse to your ANF account
  3. Select Volumes
  4. Click Add Volume
  5. On the Basics page, under Encryption key source, in the drop down menu, choose Customer Managed Key. See image below.
  6. Continue the volume creation process as normal.
Monitor and manage your keys

With your ANF volumes now encrypted using customer managed keys, it’s crucial to monitor and manage your encryption keys effectively. Regularly review the access policies for your keys, rotate keys as needed, and ensure that key backups are securely stored.

Summary

In summary, Azure NetApp Files is an enterprise-grade cloud storage service that provides various features to secure data, such as encryption, access control, and customer-managed keys. Customer-managed keys enable customers to have more control over their data and ensure that their data is encrypted with their own keys. Azure Key Vault is a cloud service that provides a secure store for keys, secrets, and certificates. By using Azure NetApp Files customer-managed keys with Azure Key Vault, customers can ensure that their data is encrypted with their own keys and that the keys are stored securely in the cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.