Transport Layer Security in Azure Backup
Transport Layer Security (TLS) is an encryption protocol that keeps data secure when being transferred over a network. Azure Backup uses transport layer security to protect the privacy of backup data being transferred. This article describes steps to enable the TLS 1.2 protocol, which provides improved security over previous versions.
Earlier versions of Windows
If the machine is running earlier versions of Windows, the corresponding updates noted below must be installed and the registry changes documented in the KB articles must be applied.
| Operating system | KB article |
|---|---|
| Windows Server 2008 SP2 | https://support.microsoft.com/help/4019276 |
| Windows Server 2008 R2, Windows 7, Windows Server 2012 | https://support.microsoft.com/help/3140245 |
Note
The update will install the required protocol components. After installation, you must make the registry key changes mentioned in the KB articles above to properly enable the required protocols.
Verify Windows registry
Configuring SChannel protocols
The following registry keys ensure that the TLS 1.2 protocol is enabled at the SChannel component level:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
Note
The values shown are set by default in Windows Server 2012 R2 and newer versions. For these versions of Windows, if the registry keys are absent, they don't need to be created.
Configuring .NET Framework
The following registry keys configure .NET Framework to support strong cryptography. You can read more about configuring .NET Framework here.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto" = dword:00000001
Azure TLS certificate changes
Azure TLS/SSL endpoints now contain updated certificates chaining up to new root CAs. Ensure that the following changes include the updated root CAs. Learn more about the possible impacts on your applications.
Earlier, most of the TLS certificates, used by Azure services, chained up to the following Root CA:
| Common name of CA | Thumbprint (SHA1) |
|---|---|
| Baltimore CyberTrust Root | d4de20d05e66fc53fe1a50882c78db2852cae474 |
Now, TLS certificates, used by Azure services, helps to chain up to one of the following Root CAs:
| Common name of CA | Thumbprint (SHA1) |
|---|---|
| DigiCert Global Root G2 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| DgiCert Global Root CA | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 |
| Baltimore CyberTrust Root | d4de20d05e66fc53fe1a50882c78db2852cae474 |
| D-TRUST Root Class 3 CA 2 2009 | 58e8abb0361533fb80f79b1b6d29d3ff8d5f00f0 |
| Microsoft RSA Root Certificate Authority 2017 | 73a5e64a3bff8316ff0edccc618a906e4eae4d74 |
| Microsoft ECC Root Certificate Authority 2017 | 999a64c37ff47d9fab95f14769891460eec4c3c5 |
Frequently asked questions
Why enable TLS 1.2?
TLS 1.2 is more secure than previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Azure Backup services already fully support TLS 1.2.
What determines the encryption protocol used?
The highest protocol version supported by both the client and server is negotiated to establish the encrypted conversation. For more information on the TLS handshake protocol, see Establishing a Secure Session by using TLS.
What is the impact of not enabling TLS 1.2?
For improved security from protocol downgrade attacks, Azure Backup is beginning to disable TLS versions older than 1.2 in a phased manner. This is part of a long-term shift across services to disallow legacy protocol and cipher suite connections. Azure Backup services and components fully support TLS 1.2. However, Windows versions lacking required updates or certain customized configurations can still prevent TLS 1.2 protocols being offered. This can cause failures including but not limited to one or more of the following:
- Backup and restore operations may fail.
- The backup components connections failures with error 10054 (An existing connection was forcibly closed by the remote host).
- Services related to Azure Backup won't stop or start as usual.