Step-by-Step: Azure Storage Encryption at Rest


Hello Folks,

Ever since I started covering Azure I always get asked about encryption. How do I keep data from prying eyes? How do I ensure that the data is ALWAYS encrypted? Encryption at rest was not an option before, but now it is….

Azure Storage Service Encryption (SSE) for Data at Rest allows you to protect YOUR data to meet your security and compliance requirements. We now make available a service that automatically encrypts your data prior to writing it to the storage account and decrypts it when you retrieve the data. It addresses audit compliance requirements, and mitigates threats like theft of or unauthorized access to the media.

Before you ask…. The data is encrypted using 256-bit AES encryption. The encryption, decryption, and key management are totally transparent to users.

And so simple to enable.

Before we start here a few prerequisites….

  1. SSE is only supported on Resource Manager storage accounts.
  2. Only newly written blobs will be encrypted. It does not go back and encrypt data that was already present.
  3. SSE is supported on both Standard Storage and Premium Storage
  4. Currently The keys are managed by Microsoft, and we are working on providing capabilities for customers to bring their own encryption keys.
  5. There really is only one step to this for now. All you need is to enable it either when you create a new storage account:

 

clip_image002

 

Or if your storage account is already created you just need to turn it on by opening the storage account blade and scroll down to “Encryption” and enable it and click save to continue.

clip_image004

I hope this helps!

Cheers

Signature

Pierre Roman
@pierreroman

Comments (2)

  1. RLKenny says:

    Good article, Pierre. Do you know if eventually this will be made available for Classic VMs/storage accounts?
    Also, are there plans to allow encryption on already existing data?

    Thanks!

    1. Pierre Roman says:

      Hello RLKenny, Sorry for the late reply. I don’t believe there are any plans to port this to the classic mode. If you can migrate to the ARM Model that would be the only way to take advantage of it. Please refer to the following articles.(https://blogs.technet.microsoft.com/canitpro/2016/07/05/step-by-step-migrate-your-classic-cloud-services-to-arm/ and https://blogs.technet.microsoft.com/canitpro/2016/07/27/step-by-step-migrate-your-classic-cloud-services-to-arm-storage-migration/).

      As for encrypting existing data, there are no way of doing that other than move it to another account and move it back to the storage account setup for encryption. Upon writing to that account the data will be encrypted.

      Thanks

      Pierre

Skip to main content