Uploading an Asymmetric Key for Azure Blob Storage FAQ


    In the coming months, we plan to migrate its underlying long-term storage system from Azure Disk block storage to Azure Blob object storage.

    The new Azure Blob storage has many benefits to the current Azure Disk storage, and with this migration we intend to improve its service for its customers by migrating to a highly scalable and highly reliable object storage service.

    The existing block storage uses symmetric encryption keys, while the new Azure Blob storage service uses asymmetric keys. Because of this, it is required for our customers with BYOK to generate an asymmetric encryption key to enable the migration of their data to Blob storage.

    For instructions on generating and uploading the key, see Uploading an Asymmetric Key for Azure Blob Storage Procedure.


    Q. How long will the migration of my data take?

    A. The migration of data is dependent on the amount of data currently stored and the speed of Azure to move from a disk storage to an object storage.

    Q. Will my data remain encrypted?

    A. Your data is already encrypted at rest.  The data will remain encrypted in transit and will be re-encrypted with the new key on the new Blob Storage. The data will remain encrypted throughout the entire migration process.

    Q. Where is my data stored during the re-encryption process?

    A. The re-encryption process takes place in memory, in an isolated processing space dedicated to each Customer Data environment. 

    Q. Will my data be accessible in the migration process?

    A. Yes

    Q. What happens to the disks and snapshots that previously contained my data?

    A. Once all data is migrated, the disk will be removed

    Q. What happens to my new backups once I provide the updated key? Are they on Blob or on Disk, to be migrated when the migration is complete?

    A. It can take time for the migration process to complete. After submitting the new key there might be a period of time that (new) backups will still be written on disk with the old key until the migration process is completed.

    Q. How is my data segregated from other tenants in the new Blob Storage?

    A. As a Customer using BYOK, you will have a unique Blob Storage account namespace that segregates and isolates your Customer Data using Cloud Service Provider Identity and Access Management controls.

    Q. What visibility will I have throughout the migration processes (notifications, status update, etc.)?

    A. The master admin of the account will get an email once the migration is completed and all backups are stored and encrypted with the new key

    Q. Can we get a copy of the architecture diagram showing the new Blob Storage?

    A. The newest architecture diagram can be seen below:


    « Previous ArticleNext Article »