Azure App Services & Azure SQL Servers - Encryption at Rest

Rizwan Ansari 21 Reputation points

Are all web application hosted with Azure App Services and also Azure SQL Servers encrypted at Rest? Do I have to do any special configuration?

Azure App Services
Azure App Services
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,612 questions
Azure SQL Database
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. brtrach-MSFT 7,386 Reputation points Microsoft Employee

    @Rizwan Ansari Thank you for your question. I personally deal with Azure Web Apps so I can speak to that part of things. I would kindly request you to create a second question with just the azure-sql-database tag so an expert from the SQL team can assist you with that side of things.

    In regards to encryption at rest with Azure Web Apps, there is a two part answer.

    With an App Service Environment, you have the ability to turn on internal encryption. More on that can be found here.

    If you are talking about the multi-tenant web app product, there are a few points to share. Firstly, as of today, locally attached disks on App Service VMs are not encrypted at rest. From a developer perspective, that means anything within "D:\local" when logged into a Kudu console is not encrypted at rest. Overall, customer data is encrypted but devs are urged to be cautious as it's possible to write to D:\local disk, which would not be encrypted. Keep in mind that we are assuming that items like ASP.NET DLLs that are stored on the local drive but we assume developers are not following bad practices such as compiling encryption keys into their binaries. Note that custom container web apps are loaded onto a locally attached disk and it will not be encrypted at rest.

    There is work being done to offer encryption at rest as a feature in the future but there is nothing to share at this team regarding features or an ETA.

    If you are asking from a compliance perspective, you should consider an App Service Environment or see about requesting an exemption.

    If you are asking so that you can sleep better at night, I encourage you to review the Azure Security overview of our datacenters.

    Please let me know if you have any further questions about encryption at rest on App Services and I would be happy to answer them.