Storing client keys in cloud app



  • I'm using Azure to store customer data. In a specific country, there are multiple partners. Each partner has his clients. The issue is they don't want us to have access to this data. In other words, the only one who can access the data is the partner and the client. So I'm thinking of using a master key for each partner but I'm not if not the best approach.

    My idea is to create 2 layers of encryption:

    Client App Azure storage Partner Client
    encrypt data (only client and partner can opened) encrypt data with Microsoft encyption Get the data Can get his data

    At this step I'm blocked in the first step where how can I encrypt the data without storing the encryption key of partner(s).

    Do you have any suggestions?



  • You can use Azure Key Vault in conjunction with Azure Blob Storage enabled with customer-managed key to meet this requirement. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.

    CMK flow

    The following list explains the numbered steps in the diagram:

    1. An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
    2. An Azure Storage admin configures encryption with a customer-managed key for the storage account.
    3. Azure Storage uses the managed identity that's associated with the storage account to authenticate access to Azure Key Vault via Azure Active Directory.
    4. Azure Storage wraps the account encryption key with the customer key in Azure Key Vault.
    5. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

    https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2