How Infrastructure encryption on storage account provide additional protection when SSE key is compromised?

Question

By reading the MS link on infrastructure encryption on storage account, I am not sure what additional protection infrastructure encryption provide by double encryption.

in the link, it says

Azure Storage encryption provides a sufficiently powerful encryption algorithm, and there is unlikely to be a benefit to using infrastructure encryption.

and it also says:

Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.

I would like to know how the infrastructure encryption protect the data on the SSE key comprised scenario and what is protected against.

In normal operation, a legitimate application /user who have access to storage account and SSE key should be able to access data with data decrypted in both layers service and infrastructure automatically and transparently.

with the SSE key get compromised, malicious user/program get hold of the SSE key, how is the data protected by infrastructure encryption if the access process automatically decrypt data on both layers?

Thank you.

Answer 1

@CuiweiLu-7642 Firstly, Apologies for the delay response here!

Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

In the case of a compromised SSE key, the data is still protected by the infrastructure encryption. The infrastructure encryption relies on Microsoft-managed keys and always uses a separate key. The data is encrypted twice, once at the service level and once at the infrastructure level, with two different encryption algorithms and two different keys. The infrastructure encryption is recommended for scenarios where doubly encrypting data is necessary for compliance requirements.
Server-Side Encryption (SSE): SSE in Azure Storage encrypts your data using a storage account-specific encryption key. When you write data to Azure Storage, it is automatically encrypted by the service using this key. When you read data, the service automatically decrypts it for you.

In the case of a compromised SSE key, the data is still protected by the infrastructure encryption. The infrastructure encryption relies on Microsoft-managed keys and always uses a separate key. The data is encrypted twice, once at the service level and once at the infrastructure level, with two different encryption algorithms and two different keys. The infrastructure encryption is recommended for scenarios where doubly encrypting data is necessary for compliance requirements^.

Server-Side Encryption (SSE): SSE in Azure Storage encrypts your data using a storage account-specific encryption key. When you write data to Azure Storage, it is automatically encrypted by the service using this key. When you read data, the service automatically decrypts it for you.

In the case of a compromised SSE key, the data is still protected by the infrastructure encryption. The infrastructure encryption relies on Microsoft-managed keys and always uses a separate key. The data is encrypted twice, once at the service level and once at the infrastructure level, with two different encryption algorithms and two different keys. The infrastructure encryption is recommended for scenarios where doubly encrypting data is necessary for compliance requirement. Server-Side Encryption (SSE): SSE in Azure Storage encrypts your data using a storage account-specific encryption key. When you write data to Azure Storage, it is automatically encrypted by the service using this key. When you read data, the service automatically decrypts it for you.

Please let us know if you have any further queries. I’m happy to assist you further.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.