This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 89%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I am thinking of moving our organisation computing to Azure with probably Microsoft 365 E5 licenses to make use of Purview and other DLP tools.
As there are multiple routes than data could be sent outside the company network I was hoping there was a way to implement encryption on the storage so that all files were stored encrypted but when being opened by programs which are authorised (from Office Apps, to Accounting Software or IDE's) then as long as the program is authorised then the file will be decrypted on the fly. When the program saves the file, again it will be saved encrypted.
I know this encryption and decryption will slow down opening and saving files, but this is something we can tolerate.
We have experienced moderate staff turnover so was hoping to implement something so that even if a file was to leave our network it would be rendered useless (without the network decryption key). All staff work from the office and do not need remote access to files.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 10%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hello WA,
Thank you for posting your query here!
Please note that Azure Storage provides service-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. This encryption uses 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. The encryption and decryption process is transparent and does not require any changes to your applications.
For key management, data in a new storage account is encrypted with Microsoft-managed keys by default. However, you can also manage encryption with your own keys. If you choose to manage encryption with your own keys, you have two options: You can specify a customer-managed key to use for encrypting and decrypting data in Blob Storage and in Azure Files. Customer-managed keys must be stored in Azure Key Vault or Azure Key Vault Managed Hardware Security Model (HSM). Or you can specify a customer-provided key on Blob Storage operations. https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption
This means that even if a file was to leave your network, without the encryption key, it would be rendered useless.
Also, for controlling access to the data, you can use Azure’s robust Identity and Access Management (IAM) solutions, along with the DLP capabilities provided by Microsoft Purview. This will ensure that only authorized applications and users can access the data. https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.