Skip to main content

Setting up Customer-Managed Encryption Keys (CMEK) for Azure storage accounts

Version 1.1, 18 October 2025

Maja Lehbert avatar
Written by Maja Lehbert
Updated today

This document provides step-by-step instructions for configuring Customer-managed Encryption Keys to encrypt data in Azure Storage Accounts. Please follow these instructions carefully to ensure proper setup and functionality.

This setup uses Azure’s Managed Key Services as the default. Integrating third-party encryption key providers should be supported, but we currently require the encryption key to be available in an Azure Key Vault.

Client Prerequisites

  • Administrative access to your Azure Entra ID (formerly Azure AD) tenant

  • Permissions to create and manage Azure Key Vault resources

  • Proper network connectivity to Azure services

Setup Instructions

Step 1: Application Registration

  1. Sign in to the Azure Portal

  2. Open a web browser and navigate to the following URL, replacing the placeholder values:

https://login.microsoftonline.com/<your-tenant-id>/oauth2/authorize?client_id=52e738b0-c8a2-4e64-b70b-792b5c3c5618&response_type=code&redirect_uri=<redirect-uri>

Important: This step must be performed by a user with administrative privileges to grant admin consent in Azure Entra ID.

The client id points to our Application Registration, Legora BYOK. The redirect url does not matter, it can simply be set to localhost:3000 or app.eu.legora.com.

<Your-tenant-id> is a placeholder for the Microsoft tenant you would like to add the Legora service principal in.

3. Complete the authentication process and grant the requested permissions.

Step 2: Verify Application Registration

  1. In In Azure Portal, Navigate to Azure Entra ID > Enterprise Applications

  2. Locate the newly registered application

  3. Select the "Properties" tab

  4. Verify that "Enabled for users to sign-in" is set to "Yes"

  5. If disabled, toggle the setting to "Yes" and save the changes

Step 3: Key Vault Configuration

  1. Navigate to your existing Azure Key Vault, or create a new one:

  • If creating a new:

    1. Go to Azure Portal > Key Vaults > Create

    2. Select appropriate subscription and resource group

    3. Choose a unique name for your key vault

    4. Select the appropriate region

    5. Choose your pricing tier

    6. Complete the creation process

  1. Configure access for the registered application using one of these methods:

Option A: Using RBAC (Recommended)

  1. Navigate to the Key Vault's Access Control (IAM)

  2. Click "Add" > "Add role assignment"

  3. Search for and select "Key Vault Crypto Service Encryption User"

  4. Assign it to the registered application

Option B: Using Access Policies

  1. Navigate to the Key Vault's Access Policies

  2. Click "Add Access Policy"

  3. Configure the following permissions:

  • Key Management Operations:

    1. Get

    2. List

    3. Update

    4. Create

    5. Import

  • Cryptographic Operations:

    1. Unwrap Key

    2. Wrap Key

4. Select the registered application as the principal

5. Save the changes

Step 4: Key Vault Configuration

  1. In your Key Vault, navigate to the "Keys" section

  2. Click "Generate/Import"

  3. Provide the following details:

    1. Name: Choose a meaningful name for your key

    2. Key Type: RSA

    3. RSA Key Size: 2048 (minimum)

    4. Enabled: Yes

  4. Click "Create"

  5. 5. Once created, click on the key and copy the "Key Identifier" URI

Step 5: Final Steps

Send the Key Identifier URI to your contact at Legora for configuration. The URI should look similar to:

https://your-keyvault-name.vault.azure.net/keys/your-key-name/version

FAQ

Q: How long does it take for the key to become active?

A: Once properly configured, the key becomes active immediately. However, allow up to 10 minutes for the encryption to propagate across all systems.

Q: Can I use an existing Key Vault?

A: Yes, you can use any existing Key Vault as long as it's in a supported region and the application has proper permissions.

Q: What happens if access to the key is lost?

A: If access to the encryption key is lost, data may become inaccessible. It's crucial to maintain proper access management and backup procedures.

Q: Can I rotate the encryption key?

A: Yes, both manual and automatic key rotation are supported. We use the latest available version of the key, so whenever a key is rotated, either manually or automatically, the new key will automatically be propagated by Azure. However, please allow up to a few hours for the key to be propagated correctly.

Q: What regions are supported?

A: CMEK is supported in all regions where Azure Key Vault is available. For optimal performance, we recommend a Key Vault location close to the Storage Account region (East US and Sweden Central for US/EU respectively).

Q: Can I use different keys for different storage accounts?

A: Yes, you can use different keys for different storage accounts, but each storage account can only use one key at a time.

Did this answer your question?