1

Need to store some content in Azure Blob Storage, and want to encrypt prior to storing it on Azure Blob (we don't want to rely on Azure storage encryption on-rest). The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure.

Any suggestion on strategies for achieving this? One of the possible option is to keep encryption logic inside HSMs outside Azure, but that would be quite expensive. Keeping keys in database wouldn't fly well either from security perspective. Appreciate if there are any other recommendations?

Anders
  • 65,052
  • 24
  • 180
  • 218
Purple haze
  • 11
  • 1
  • Youre enumerating this you don't want to do without providing any reasons for such. This sounds like a [YX problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) to me. In any case, either you're asking for a product recommendation (which is out of scope) or you're not providing enough information to guide you in the right direction. – Stephane Mar 17 '17 at 08:38
  • Hi Stephane, key security is paramount - hence we want to store it by ourselves. – Purple haze Mar 17 '17 at 08:42
  • Again, you're not providing any useful information as to what kind of protecting/architecture/environment/requirements you have. – Stephane Mar 17 '17 at 08:48
  • 1
    I could answer "write your keys on a piece of paper and place it in a safe" and that would be a valid answer to the question you asked. I doubt, however, that this would answer the question you _mean_ to ask – Stephane Mar 17 '17 at 08:49
  • We plan to encrypt blobs with encryption key, and will further encrypt the encryption key with separate key encryption key. We will need way to be able to store/ and later read these keys for decryption. There will be plenty of such keys. And application on Azure should be able to securely store/ read these keys automated way. Concern is where to manage these keys on-premise in a secure way. Options I came across were HSMs (expensive), Db (is it a good option?). Looking to hear if there are more suggestions to manage these keys. – Purple haze Mar 17 '17 at 08:57

0 Answers0