CoursesAzure securityKey Vault & encryption

CMK, Managed HSM & at-rest

Own the key, the rotation, and the kill switch.

Expert30 min · lesson 8 of 15

All Azure data at rest is encrypted by default with platform-managed keys, so the security decision is whether you need to control the keys yourself. Customer-managed keys in Key Vault (or Managed HSM) are how you gain rotation control, access governance, and a revocation switch.

Platform keys vs CMK vs Managed HSM

Platform-managed keys are invisible and uncontrollable. Customer-managed keys (CMK) let you supply a Key Vault key for Storage, managed-disk, SQL TDE, and more — you own the rotation schedule, the access policy, and the ability to disable the key, which instantly makes the encrypted data unreadable. Managed HSM goes further: a single-tenant, FIPS 140-2 Level 3 hardware-backed pool for keys that must never leave certified hardware, the right choice for regulated workloads needing attestable custody. Infrastructure (double) encryption adds a second layer for the most sensitive data.

CMK on a storage account with rotation
# Point a storage account at a customer-managed key in Key Vault.
az storage account update -g rg -n acmedata \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault https://app-kv.vault.azure.net \
--encryption-key-name storage-cmk --encryption-key-version "" # "" = auto-follow rotations
# Rotating the key in Key Vault re-wraps the data key; existing data stays
# readable and no bulk re-encryption is needed (envelope encryption).

The control CMK actually buys

The point of CMK is not stronger cryptography — platform keys are already strong — it is governance: you can prove custody, rotate on your schedule, separate the key admin from the data admin, and revoke access by disabling the key during an incident. Under the hood it is envelope encryption, so rotating the key-encryption key re-wraps the data key without re-encrypting the data. For sovereignty regimes, Confidential Computing (encryption in use) and region/personnel controls extend the model to data in memory.

Encryption control options
less control, less work
platform-managed keys
default, no revocation
CMK in Key Vault
rotation, access, disable switch
more control, more work
Managed HSM CMK
FIPS L3, non-exportable
infra + confidential compute
double at-rest, encryption in use
Climb only as high as the requirement demands. Each rung adds availability dependency on your key and operational ritual you must sustain.
Disabling a CMK is a real kill switch — and a real outage risk
Disabling or deleting a customer-managed key makes every service that depends on it unable to decrypt, which is powerful for incident containment and dangerous by accident. Guard the key with purge protection and tight RBAC, monitor its availability, and rehearse the revoke/restore path before you ever need it.