Step-by-Step: Azure Storage Encryption at Rest

Hello Folks,

Ever since I started covering Azure I always get asked about encryption. How do I keep data from prying eyes? How do I ensure that the data is ALWAYS encrypted? Encryption at rest was not an option before, but now it is….

Azure Storage Service Encryption (SSE) for Data at Rest allows you to protect YOUR data to meet your security and compliance requirements. We now make available a service that automatically encrypts your data prior to writing it to the storage account and decrypts it when you retrieve the data. It addresses audit compliance requirements, and mitigates threats like theft of or unauthorized access to the media.

Before you ask…. The data is encrypted using 256-bit AES encryption. The encryption, decryption, and key management are totally transparent to users.

And so simple to enable.

Before we start here a few prerequisites….

  1. SSE is only supported on Resource Manager storage accounts.
  2. Only newly written blobs will be encrypted. It does not go back and encrypt data that was already present.
  3. SSE is supported on both Standard Storage and Premium Storage
  4. Currently The keys are managed by Microsoft, and we are working on providing capabilities for customers to bring their own encryption keys.
  5. There really is only one step to this for now. All you need is to enable it either when you create a new storage account:




Or if your storage account is already created you just need to turn it on by opening the storage account blade and scroll down to “Encryption” and enable it and click save to continue.


I hope this helps!



Pierre Roman