Share via

is there a video showing us how to connect a manaaged HSM with a blob storage account?

Tony Yip 30 Reputation points
2024-11-01T21:49:26.74+00:00

We are trying to enable HSM for a blob storage account. So, the use case is to have a different container with a different encryption scope and each scope has it own key that is stored in HSM. However, there is no pick from HSM dropdown in the encryption scope, only the keyvault dropdown. We have tried to contact Mcirosoft support and seriously, none of them know how to do it, we have been waiting for 3 weeks and no help from Azure support. Our MS account manager has tried to locate a HSM expert to help but so far no luck.

does anyone know how to connect a managed HSM with a blob storage - encryption scope. We want the blob storage account to use azure managed key but just a few containers to enable encyrption scope with the keys from HSM.

Any help would be appreicated from anyone.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,003 questions
Azure Dedicated HSM
Azure Dedicated HSM
An Azure service that provides hardware security module management.
31 questions
Accepted answer
  1. Keshavulu Dasari 2,420 Reputation points Microsoft Vendor
    2024-11-04T20:51:32.12+00:00

    Hi Tony Yip,
    When setting up encryption scopes, you should indeed see an option to select keys from a managed HSM.  This might not be directly visible in the dropdown if the managed HSM is not properly configured or if there are permission issues.

    Few steps to troubleshoot:

    1. Verify Permissions:
      • Ensure that the managed identity of your storage account has the necessary permissions to access the managed HSM. The role Managed HSM Crypto Service Encryption User should be assigned to the storage account’s managed identity for the specific key in the HSM.
    2. Check Region Compatibility:
      • If your managed HSM and storage account are in different regions, you might need to manually enter the key URI. Ensure that the key URI is correctly formatted and accessible.
    3. Use Azure CLI for Configuration:

    Sometimes, using the Azure CLI can help bypass UI limitations. Here’s how you can assign a key from a managed HSM to an encryption scope using Azure CLI:

    az storage account encryption-scope create \
  --resource-group <resource-group> \
  --account-name <storage-account> \
  --name <encryption-scope-name> \
  --key-source Microsoft.KeyVault \
  --key-uri <key-uri>
    1. Ensure Managed HSM is Properly Configured:

    If you still don’t see the managed HSM option in the dropdown let me know in the "comments" and I would be happy to help you,

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Keshavulu Dasari 2,420 Reputation points Microsoft Vendor
    2024-11-01T23:36:10.8566667+00:00

    Hi Tony Yip,
    Welcome to Microsoft Q&A Forum, thank you for posting your query here!
    To configure an encryption scope for your Azure Blob Storage with a key stored in an Azure Managed HSM. Create a Managed HSM and Key:

    First, ensure you have a Managed HSM set up in your Azure environment.

    1.Create an Encryption Scope:

    • Navigate to your storage account in the Azure portal.
    • Under Security + networking, select Encryption.
    • Go to the Encryption Scopes tab and click Add to create a new encryption scope.
    • Enter a name for the new scope.
    • Select Customer-managed keys and then choose the key vault or managed HSM where your key is stored.

    Assign the Key to the Encryption Scope:

    • If the key vault or managed HSM is in a different region, select Enter key URI and specify the key URI.
    • Ensure that the storage account and the key vault or managed HSM can communicate, possibly by configuring appropriate network settings and permissions.

    Apply the Encryption Scope to Containers:

    You can specify the encryption scope when creating a new container or apply it to existing containers.

    • This will ensure that all blobs within the container are encrypted using the specified key from the Managed HSM.
    • Upload a blob to the container and verify that it is encrypted with the correct encryption scope.
    • Check the encryption settings to ensure everything is configured correctly.

    If you still encounter issues, it might be helpful to double-check the permissions and network configurations between your storage account and the Managed HSM.
    For more detailed information, you can refer to the Azure documentation might provide further insights
    https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-overview
    https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=portal

    If the issue persists, I would like to work closer on this issue! ---Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.