Disable encryption for storage account

1
votes

I want to create a storage account with encryption in disabled state. But by default encryption is enabled while creating a storage.There is no option in dashboard to disable it. I referred a Microsoft API and tried with the below request but its not working.

{
"sku": {
    "name": "Standard_LRS"
},
"kind": "Storage",
"location": "westus2",
"encryption": {
    "services": {
        "blob": {
            "enabled": False
        }
    }
}}

Response:

{"error":{"code":"InvalidRequestContent","message":"The request content was invalid and could not be deserialized: 'Could not find member 'encryption' on object of type 'ResourceDefinition'. Path 'encryption', line 1, position 47.'."}}

Kindly help me out to solve this.

2
azureazure-storageazure-powershellazure-template

2 Answers

0
votes

The reason you're getting this error is because encryption attribute should be inside properties attribute. Please change your request body to something like:

{
    "sku": {
        "name": "Standard_LRS"
    },
    "kind": "Storage",
    "location": "westus2",
    "properties": {
        "encryption": {
            "keySource": "Microsoft.Storage"
            "services": {
                "blob": {
                    "enabled": False
                }
            }
        }
    }
}

Or other thing you could do is get rid of encryption attribute all together. So in that case, your request body would look something like:

{
    "sku": {
        "name": "Standard_LRS"
    },
    "kind": "Storage",
    "location": "westus2",
    "properties": {
    }
}

However I am curious as to why you would want to disable encryption at rest.

0
votes

I did a test in my lab with following scripts:

    {
        "sku": {
            "name": "Standard_LRS"
        },
        "kind": "Storage",
        "location": "westus2",
        "properties": {
        }
    }

But when I went to Azure portal and found that the blob still was Encrypted.

I also tested many other possible templates, but all failed to disable Encryption when creating the Storage Account. I assume that it may be caused by design : Azure forces each Storage account to be Encrypted at beginning.

If you still want to disable the Encryption, you can use following powershell scripts to do this:

Set-AzureRmStorageAccount -ResourceGroupName "ResourceGroupName" -AccountName "YourstorageAccountName" -DisableEncryptionService blob

You can see more details about Set-AzureRmStorageAccount in this document.

Hope this helps!