Share via

Storage account CMK Key got expired but still we are able to read the data and logs written

suresh Reddy 61 Reputation points
2025-01-15T11:42:57.4266667+00:00

We have a storage account in our subscription. And we observed that the key displayed in the Encryption is expired. But still we are able to read the storage account data. Also we see some logs getting written to the storage account.

Can you please help us understand few things.

  1. How are we able to read the storage account data even though the data encryption key is expired.
  2. We see some logs written in to the storage account. Can you please confirm which service or resource writing these logs in to the storage. ?
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,036 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nandamuri Pranay Teja 325 Reputation points Microsoft Vendor
    2025-01-15T13:35:15.7966667+00:00

    Hello suresh Reddy

    Welcome to Microsoft Q&A Forum. Thanks for posting your query here!

    I understand that your CMK Key got expired but still you are able to read the data and logs written.

    Please be informed that if the data encryption key for your storage account has expired, it should not be possible to read any data that was encrypted with that key. However, you are able to read the data because it was not encrypted or was encrypted with a different key. You can check the encryption settings for your storage account by opening the Azure portal, navigating to the storage account, and selecting "Encryption". This will show you the encryption settings for your storage account, including the encryption type and the status of the encryption keys.

    To determine which service or resource is writing logs to your Azure storage account, you can follow these steps:

    • Navigate to the storage account that is receiving the logs.
    • Select "Logs" from the left-hand menu
    • In the "Logs" blade, you will see a list of all the logs that have been written to the storage account. You can filter the logs by date, time, and resource type to help narrow down the search.
    • Look for the "SourceSystem" field in the log entries. This field will indicate which service or resource is writing the logs to the storage account.

    Additional information: Documentation on managed key data encryption

    https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-storage#customer-managed-key-data-encryption

    https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption

    Let me know if you have any questions or concerns, we are here at your service

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. which might be beneficial to other community members reading this thread. 

    User's image

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.