Azure-docs: What is the frequency of key rotation of azure managed key for storage account ?

@SripadaBhargav there isn't a specific time that's set for you to rotate keys, the normal advice is to do it between 3 to 6 months, consider it the same as a normal password policy, if there is an immediate security concern, then instant key rotation should be performed.

When it comes to the existing data, it would be encrypted using the new key without interruption to your applications

Does this answer you questions ?

Thanks,
Adam

Hi Team,
My query was regarding azure managed key rotation, not about customer managed key. As mentioned earlier, I would want to know the frequency of key rotation and also how decryption of old data is taken care of.
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#about-encryption-key-management

Bhargav Sripada
Technical Lead, App Platform Eng Cloud
Kony, Inc.

• 91 7036390938 (m)

[signature_896126286]https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kony.com%2F&data=02%7C01%7Cbhargav.sripada%40Kony.com%7C8ab1e2f9cbbb4bca97ef08d7483a53b8%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637057287797721396&sdata=ArOQh3zpig3OlqYZ3HNOYT0uAI2B70UXus91OsO0rxA%3D&reserved=0

For more information, please visit kony.comhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kony.com%2F&data=02%7C01%7Cbhargav.sripada%40Kony.com%7C8ab1e2f9cbbb4bca97ef08d7483a53b8%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637057287797731392&sdata=g%2BUG47ndlTCkr0RE062i%2B1SVqfYMDDdt6t7mBP42tz8%3D&reserved=0. Connect with Kony on Twitterhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fkony&data=02%7C01%7Cbhargav.sripada%40Kony.com%7C8ab1e2f9cbbb4bca97ef08d7483a53b8%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637057287797731392&sdata=qKNO6xT5XbIbpbsKzsUaVu2eqBKz7LkLPnHAK1HHhdU%3D&reserved=0, Facebookhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FKonyInc&data=02%7C01%7Cbhargav.sripada%40Kony.com%7C8ab1e2f9cbbb4bca97ef08d7483a53b8%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637057287797741386&sdata=gRFY3%2FCET2Qbl4SXJ%2Brul6Lnk0zvYtw6hKrAqIulvLA%3D&reserved=0, and LinkedInhttps://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2F324781&data=02%7C01%7Cbhargav.sripada%40Kony.com%7C8ab1e2f9cbbb4bca97ef08d7483a53b8%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637057287797741386&sdata=G1geM3aRKtWWKsSlmSX4lon%2BIfN%2BZnFtY%2Bf15groGEM%3D&reserved=0.

From: Adam-Smith-MSFT notifications@github.com
Reply to: MicrosoftDocs/azure-docs reply@reply.github.com
Date: Thursday, 17 October 2019 at 2:34 AM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Bhargav Sripada bhargav.sripada@Kony.com, Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] What is the frequency of key rotation of azure managed key for storage account ? (#40842)

@SripadaBhargavhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSripadaBhargav&data=02%7C01%7Cbhargav.sripada%40kony.com%7C5765f09692814d14feed08d7527c6ca7%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637068566674050272&sdata=Uzm5Fhhtrkmvc3TeO%2B9QU2PI%2FGCl9ksAgIwJZgThfxw%3D&reserved=0 there isn't a specific time that's set for you to rotate keys, the normal advice is to do it between 3 to 6 months, consider it the same as a normal password policy, if there is an immediate security concern, then instant key rotation should be performed.

When it comes to the existing data, it would be encrypted using the new key without interruption to your applications

Does this answer you questions ?

Thanks,
Adam

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F40842%3Femail_source%3Dnotifications%26email_token%3DAFOSCSPKBQWI6JD4B75GARDQO56VRA5CNFSM4JBJJR4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBN5XOI%23issuecomment-542890937&data=02%7C01%7Cbhargav.sripada%40kony.com%7C5765f09692814d14feed08d7527c6ca7%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637068566674050272&sdata=iOLQx%2F%2FuGiwLsRR7LQk7JKOzcevRps9IVHSRO7p5XAY%3D&reserved=0, or unsubscribehttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFOSCSMB2MF53IF6Q5DVT3DQO56VRANCNFSM4JBJJR4A&data=02%7C01%7Cbhargav.sripada%40kony.com%7C5765f09692814d14feed08d7527c6ca7%7Cb63981cdc7f547d0a6f401bd854a0af1%7C0%7C0%7C637068566674050272&sdata=ix%2FGFJyT0DFtavO9cTDdKQQT37jCScdmbB0buGUXBd8%3D&reserved=0.

Hi @SripadaBhargav - When storage account is configured with Microsoft managed key, storage service takes care of key rotation yearly. I'm not sure I understand what you mean by "decryption of old data". When key is rotated account encryption key is wrapped with new key version. This does not result in re-encryption of existing data and there is no other action required from the end user.

We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

@shalinoid Is there any way that a customer can know when a key has been rotated and get a history of when that happens?

@ToddBowman - There's currently no API that exposes this functionality.

If we needed that information for a security audit, can we get it by submitting a support request?