auto-encrypt file in azure storage but don't want plain file when download. Want user to decrypt locally with admin provided key

AK 1 Reputation point
2021-12-02T19:05:52.623+00:00

We have a case where we want to upload plain File and want azure to auto-encrypt in azure storage but we don't want it to auto decrypt while user download.

We want user to decrypt locally. We are planning to provide key to each company computer and they can decrypt it only in company computer for security.

Does azure supports this scenario ? If yes , how can we accomplish it ?

Note: We don't want to use client side encryption where we encrypt file through application. We want it to be handle encryption by azure storage automatically

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,510 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
152 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 42,586 Reputation points Microsoft Employee
    2021-12-03T10:00:13.817+00:00

    @AK Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Presently this feature or scenario isn't supported. Our storage account is already encrypted at the backend.

    Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

    Data at rest in Azure Blob storage and Azure file shares can be encrypted in both server-side and client-side scenarios.

    Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it. The process is completely transparent to users. Storage Service Encryption uses 256-bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES handles encryption, decryption, and key management transparently.

    If you are looking for this kind of feature, please leave your feedback here. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 154781-image.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments