Azure Storage Encryption At Rest — Jot Digital (2024)

Table of Contents
What is Azure Storage Encryption? Encryption Scopes (Preview) Conclusion

zure storage encryption can be a pretty misunderstood concept and so the goal of this post is to provide an overview of the feature set and discuss an interesting preview that is currently in progress.

What is Azure Storage Encryption?

By default, all data stored in Azure storage accounts are encrypted at rest. This is done transparently at the storage service layer using a 256-bit AES Encryption key. The service and key usage is FIPS 140-2 compliant. As per the documentation this encryption is enabled automatically and cannot be disabled.

See Also
Overview of Key Management in AzureOverview of managed disk encryption options - Azure Virtual MachinesAzure Storage encryption for data at restAzure Disk Encryption with Microsoft Entra ID for Windows VMs (previous release) - Azure Virtual Machines

From a data flow perspective, it looks something like this:

In this method, an encryption key is still stored as part of the encryption service, just like in the first scenario. The difference here is that the key stored in the encryption service is wrapped by a customer managed key. This customer-managed key acts as a key-encrypting key and is stored in Azure Key Vault.

The main benefit here would be around deletion of the data itself. Rendering the data irretrievable in this scenario would be as simple as deleting the customer managed key in the Azure Key Vault. This benefit comes at the cost of some important trade-offs. The first is that Azure Key Vault is priced in a per-operation perspective. Because the encryption service within the Azure storage account needs to decrypt the encryption key in order to use it, every operation will incur a call to Azure Key vault. Further, each call could result in increased latency as you’ve now added another service into the overall data flow. The last trade-off is that your customer managed key becomes a key that you will also have to rotate/manage/control.

The last method is called the customer-provided key. In this method, the flow above is the same, however, the encryption service no longer stores the encryption key (in any form) for the back-end data. Instead, the client sends up the key to use during both the read and write operations. This method provides the most control over which key is used to encrypt the data in the storage account at the expense of passing all the key management and distribution responsibilities to the client.

Encryption Scopes (Preview)

A feature that is currently in preview for Azure storage is encryption scopes. Based on my understanding of the feature, encryption scopes is designed to be an alternative to customer-provided keys. Effectively, you can now define multiple encryption keys that can be used in a given storage account. You can then define the default key to be used (at the container level, for example) and you can also specify which key to be used when individual blobs are created (as an override, perhaps).

The benefit here, over customer-provided keys, is that you don’t have to manage the storage and distribution of the key to all the various clients that would need access to the data. The disadvantage is that I do not believe there is any access controls on an encryption scope itself. Therefore, any client interacting with storage could use any of the encryption scopes currently defined.

A use case

At Keep Secure, we work with many start-ups that deal with customer data in a multi-tenant fashion. A potential use-case for encryption scopes is to allow for multi-tenant storage of data while giving customers fine grain control over the data stored.

For example, a SaaS provider could provision a key vault for each customer for whom they want to store data for. Using key vault authentication, they could provide access to customers to create a customer-managed key within that key vault. Then, they would create an encryption-scope tied to that customer which uses the created/shared key-vault. Now, all data tied to a given customer could be encrypted with a customer-specific encryption scope, tied to a key to which the end customer has full control over.

One of the key benefits I see for this approach is in off-boarding scenarios. With a simple action of deleting the customer-managed key in the key vault, all data stored against that key would be rendered useless. An effective way to provide various assurances to customers that data deletion was done properly.

Conclusion

There are a couple of neat new features as it relates to Azure storage that I hope to explore. Encryption scopes is one of them. I think this could provide some very interesting features particularly as it relates to data security and privacy regulations. I hope you enjoyed.

See Also
BitLocker support in a virtual machine
Azure Storage Encryption At Rest — Jot Digital (2024)
Top Articles
How To Find Time To Make More Money
8 Ways to Save Money with a Chronic Illness
Printable Whoville Houses Clipart
Stadium Seats Near Me
Songkick Detroit
Bellinghamcraigslist
Nation Hearing Near Me
Clafi Arab
Publix 147 Coral Way
Weather In Moon Township 10 Days
Smokeland West Warwick
Craigslist Boats For Sale Seattle
What Time Chase Close Saturday
Dallas’ 10 Best Dressed Women Turn Out for Crystal Charity Ball Event at Neiman Marcus
D10 Wrestling Facebook
Www Craigslist Com Phx
Nashville Predators Wiki
Carolina Aguilar Facebook
Spectrum Field Tech Salary
Georgia Vehicle Registration Fees Calculator
Swgoh Turn Meter Reduction Teams
Qual o significado log out?
Happy Life 365, Kelly Weekers | 9789021569444 | Boeken | bol
Cincinnati Adult Search
Southland Goldendoodles
Crossword Help - Find Missing Letters & Solve Clues
Naya Padkar Gujarati News Paper
Wat is een hickmann?
Mami No 1 Ott
Missing 2023 Showtimes Near Grand Theatres - Bismarck
Citibank Branch Locations In Orlando Florida
Ofw Pinoy Channel Su
Frommer's Belgium, Holland and Luxembourg (Frommer's Complete Guides) - PDF Free Download
Human Unitec International Inc (HMNU) Stock Price History Chart & Technical Analysis Graph - TipRanks.com
Chs.mywork
2008 Chevrolet Corvette for sale - Houston, TX - craigslist
Weapons Storehouse Nyt Crossword
Scottsboro Daily Sentinel Obituaries
That1Iggirl Mega
State Legislatures Icivics Answer Key
Heelyqutii
Überblick zum Barotrauma - Überblick zum Barotrauma - MSD Manual Profi-Ausgabe
Ursula Creed Datasheet
Updates on removal of DePaul encampment | Press Releases | News | Newsroom
Gym Assistant Manager Salary
Home Auctions - Real Estate Auctions
Child care centers take steps to avoid COVID-19 shutdowns; some require masks for kids
Stephen Dilbeck, The First Hicks Baby: 5 Fast Facts You Need to Know
Craigslist Charles Town West Virginia
View From My Seat Madison Square Garden
Craigslist.raleigh
Latest Posts
Euro Stoxx 50 & IBEX 35 Outlook: European Stocks Mixed Following US CPI Print
How debt can boost your business
Article information

Author: Roderick King

Last Updated:

Views: 6210

Rating: 4 / 5 (51 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.