Learn about Azure Storage Encryption

Azure Storage provides encryption options to ensure data security both at rest and in transit.

Here's how to determine and configure encryption for Azure Storage.

Encryption at Rest

Azure Storage automatically encrypts all data stored using Server-Side Encryption (SSE).

There are three key management options.

Microsoft-Managed Keys

• Default Option: Azure handles the encryption keys automatically.

• No configuration required for this option.

• Provides seamless and transparent encryption with automatic updates.

Customer-Managed Keys (CMK)

You can manage encryption keys in Azure Key Vault or Azure Managed HSM.

Steps to Verify or Configure

1. Navigate to your Storage Account in the Azure portal.

2. Under Settings, click on Encryption.

3. If CMK is configured, the page will display the Key Vault and key used.

4. To configure:

   • Click Customer-managed keys.

   • Select an existing Key Vault and key, or create a new one.

Customer-Provided Keys (CPK)

• Keys are provided with each request via the Azure Storage REST API.

• Commonly used in applications requiring direct control over encryption.

Encryption in Transit

Azure encrypts data in transit using TLS (Transport Layer Security).

HTTPS Enforcement

To verify

1. Go to the Storage Account in the Azure portal.

2. Under Settings, click on Configuration.

3. Check if Secure transfer required is enabled (default is enabled for new accounts).

All requests to the storage account must use HTTPS if enabled.

SMB Protocol for Azure Files

• SMB 3.0 with encryption is used for Azure Files when mounting via SMB.

• For enhanced security, use private endpoints or VPNs with Azure Files.

Client-Side Encryption

• Ensures that data is encrypted before being sent to Azure Storage.

• Use Azure SDKs to implement client-side encryption for applications.

• Keys are managed entirely by the client, providing additional security.

Checking Encryption Status

Using Azure Portal

1. Navigate to the Storage Account.

2. Under Settings, click on Encryption.

3. Review the current encryption method:

   • Default: Microsoft-managed keys.

   • Configured: Customer-managed keys (Key Vault).

Using Azure CLI

To check the encryption status of a storage account:

xxxxxxxxxx
3
1
az storage account show \
2
--name <StorageAccountName> \
3
--query encryption

Example output:

xxxxxxxxxx
13
1
{
2
"keySource": "Microsoft.Storage",
3
"services": {
4
      "blob": {
5
         "enabled": true,
6
         "keyType": "Account"
7
      },
8
      "file": {
9
         "enabled": true,
10
         "keyType": "Account"
11
      }
12
   }
13
}

Using PowerShell

Run the following command:

xxxxxxxxxx
3
1
Get-AzStorageAccount `
2
-ResourceGroupName <ResourceGroupName> `
3
-Name <StorageAccountName> | Select-Object Encryption

Advanced Encryption Options

Encryption Scope

• Configure multiple encryption scopes within a single storage account.

• Assign different encryption scopes to containers or blobs.

Steps

1. Go to Encryption Scopes under the Settings section of your Storage Account.

2. Create a new encryption scope and associate it with a key in Key Vault if needed.

Best Practices for Azure Storage Encryption

• Use CMK for greater control and compliance needs.

• Enable Secure Transfer Required for all storage accounts.

• Regularly rotate keys stored in Azure Key Vault.

• Monitor encryption configurations using Azure Policy.

Summary

By following these steps, you can determine and enhance encryption for Azure Storage to meet your security and compliance requirements.