Rotating Azure Storage Keys and Renewing Encryption Certificates
This article explains the importance of regularly rotating Azure Storage account keys and renewing encryption certificates in Luware Recording. It provides best practices, prerequisites, and step-by-step procedures to perform these tasks, helping maintain data protection and compliance.
Overview
In Luware Recording, Azure Storage account access keys secure access to stored recordings, and encryption certificates ensure that recorded data remains confidential to authorized parties. 💡 Regularly rotating storage keys and renewing encryption certificates minimizes the risk of unauthorized access or data breaches if a key is compromised or a certificate expires. Schedule these tasks during planned maintenance windows to avoid impacting users, and use reminders or Azure Key Vault policies for automation.
Importance of Regular Rotation
Storage Key Rotation
Regenerating Azure Storage account keys reduces exposure if a key leaks, as they grant full data access. Security frameworks recommend 90-day rotations, which also invalidate related shared access signatures (SAS).
Encryption Certificate Renewal
Certificates encrypt and decrypt recorded files in Luware Recording. Renew before expiry to avoid unencrypted new recordings.
☝ Never delete old certificates, as they are required to decrypt legacy data.
Prerequisites
For Storage Key Rotation
- Azure roles: Owner, Contributor, or Storage Account Key Operator Service Role for Microsoft.Storage/storageAccounts/regenerateKey/action.
- Luware Recording Admin access to update keys in the portal.
- Use alternate keys (Key1/Key2) to rotate without downtime.
For Encryption Certificate Renewal
- Prepare new certificate (with private key) meeting Luware requirements.
- Contact Luware support for secure upload (PFX file and password).
- Retain existing certificates.
🔍 See Azure Storage Preconditions
Rotating Azure Storage Keys (Step-by-Step)
- Log in to Azure Portal with required permissions and navigate to the Luware Recording storage account > Security + Networking -→ Access keys.
- Regenerate the inactive key (e.g. Key2 if using Key1). ☝ Confirm no services use it to avoid downtime.
- Update the new key in Luware Recording Portal (Admin access required). Reference: Securely Input Shared Access Key.
- Validate: Record a test call, confirm upload in portal and Azure Storage container.
- Repeat for second key later.
Renewing Encryption Certificates (Step-by-Step)
- Generate new certificate per Luware specs.
- Open support ticket; upload PFX file and password via secure link to Luware Key Vault.
- Luware confirms activation for new recordings.
- Validate: Test new recording playback (encrypt/decrypt) and old recording access.
- Archive old certificate securely.
Mitigating Issues
- Auth failures post-rotation: Verify key entry, switch to alternate key temporarily.
- Decryption errors: Confirm old certificates retained; contact Luware.
- Playback failures: Check environment, logs; involve support.
Testing and Validation
- Confirm new recording upload and playback.
- Verify old recording playback.
💡 Perform regularly (e.g., 90 days for keys) to sustain security and compliance.
Need more help?
Feel free to raise a case with Luware Support at Support : Luware Helpdesk if you require any further support rotating your storage keys.