Encryption of data at rest in Azure

Question

Hello,

While checking the Azure documentation on data encryption I read about tenant root keys (https://learn.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#tenant-root...) and about encryption offered at the service level for data at rest (https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-i...).

 

My understanding is that while the root encryption keys are managed at the tenant level and data at rest is encrypted at the service level, data at rest is stored encrypted with one key (i.e. one layer of encryption is applied to data). The only time there we speak about double encryption (i.e. data stored is encrypted twice) is in the case of the Double Key Encryption (DKE) where first the client encrypts the data and then Azure adds another layer of encryption.

Is my understanding correct ? Thank you for your help.

Answer 1

In Azure, data at rest is encrypted by default using a service-managed key. Tenant root keys or customer-managed keys (CMKs) give you more control over this encryption, but don't add a second encryption layer. They just manage the existing service-managed key.

Double Key Encryption (DKE) does add a second encryption layer. It uses a key managed by Azure and another managed by you, outside of Azure. Both keys are needed to access the data.

So, your understanding is correct: Azure typically uses one layer of encryption, unless you use the DKE feature which applies two layers.