Azure Storage Encryption
This document provides a comprehensive overview of how Azure Storage encrypts your data at rest and in transit.
Data Encryption at Rest
Azure Storage automatically encrypts all data written to its services, including blobs, files, queues, and tables. This encryption is done using AES-256, one of the strongest block ciphers available. This means your data is encrypted by default without any action required from you.
Storage Service Encryption (SSE)
Storage Service Encryption (SSE) is the primary mechanism for encrypting data at rest in Azure Storage. It has two main flavors:
- SSE with Microsoft-Managed Keys (SSE-MMK): This is the default encryption for Azure Storage. Microsoft manages the encryption keys, and keys are automatically rotated.
- SSE with Customer-Managed Keys (SSE-CMK): This allows you to manage your own encryption keys through Azure Key Vault. You have more control over key rotation and access policies.
Encryption Scope
Data is encrypted at the storage account level. This means all data within a storage account, regardless of the service (blobs, files, queues, tables), is protected by SSE.
Data Encryption in Transit
Azure Storage also encrypts data while it's in transit over the public internet. This is typically achieved using:
- HTTPS/TLS: All requests to Azure Storage endpoints are encouraged to use HTTPS (TLS 1.2 or higher). Azure Storage supports HTTPS for all operations.
- SMB 3.0 encryption: For Azure Files, SMB 3.0 encryption can be enabled to secure data in transit when accessed from supported clients.
Enabling Encryption
Storage Service Encryption (SSE)
As mentioned, SSE with Microsoft-Managed Keys is enabled by default for all new and existing storage accounts. You do not need to take any action to enable it.
To enable SSE with Customer-Managed Keys:
- Create or select an existing Azure Key Vault.
- Create or import your encryption key into Key Vault.
- Configure your storage account to use the key from Key Vault.
You can manage these settings via the Azure portal, Azure PowerShell, or Azure CLI.
Enforcing Encryption in Transit
You can enforce the use of HTTPS for all requests to your storage account. This setting is available in the storage account's configuration.
# Example using Azure CLI to enforce HTTPS
az storage account update --name --resource-group --https-only true
Key Management
Microsoft-Managed Keys
When using SSE-MMK, Microsoft handles the entire lifecycle of the encryption keys, including generation, storage, rotation, and deletion. This provides a seamless and secure experience.
Customer-Managed Keys
With SSE-CMK, you are responsible for:
- Creating and managing encryption keys in Azure Key Vault.
- Defining key rotation policies.
- Granting the storage account's managed identity permissions to access the keys in Key Vault.
This offers greater control and transparency over your encryption keys, which is often required for regulatory compliance.
Compliance and Security
Azure Storage encryption helps you meet various compliance requirements, including:
- HIPAA
- GDPR
- PCI DSS
By encrypting data at rest and in transit, you reduce the risk of unauthorized access and data breaches.