![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 71%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,064 questions
@MS Techie Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
- Does it reduce performance ? Due to the data is encrypted twice. For that reason, there may be a very slight performance impact.
- While downloading data back, will it automatically decrypt ? Yes
- Does the encryption apply onto the network part like private endpoint which is attached to VNet ? Whenever Azure customer traffic moves between datacenters-- outside physical boundaries not controlled by Microsoft or on behalf of Microsoft-- a data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from point-to-point across the underlying network hardware. The packets are encrypted and decrypted on the devices before being sent, preventing physical “man-in-the-middle” or snooping/wiretapping attacks. Because this technology is integrated on the network hardware itself, it provides line rate encryption on the network hardware with no measurable link latency increase. This MACsec encryption is on by default for all Azure traffic traveling within a region or between regions, and no action is required on customers’ part to enable. Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault. Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key.
- What is the additional cost of this encryption ? Fore Azure Key vault there will be charges
Operations against all keys (software-protected keys and HSM-protected keys), secrets and certificates are billed at a flat rate of $0.03 per 10,000 operations, except certificate renewal requests, which are billed at a rate of $3 per renewal. Examples—A) You perform 2,000 operations with HSM-protected keys, 1,000 operations with software-protected keys and 500 operations with secrets during a billing cycle. You will be billed for 3,500 operations during that billing cycle. B) In a given billing cycle, you perform 500 operations on 20 certificates and 2 of these certificates are also renewed by Key Vault. You will be billed for 500 operations and 2 certificate renewal requests. Key vault pricing page Customers who require high levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level. When infrastructure encryption is enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data. Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault. Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key. For more information about how to create a storage account that enables infrastructure encryption, see Create a storage account with infrastructure encryption enabled for double encryption of data.
If you still have any question on pricing I would recommended to contact Azure pricing team [Billing support], it's free, and it's the best choice for you
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.