Protect data at rest
Azure provides extensive options for data encryption at rest to help customers safeguard their data and meet their compliance needs using Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services, such as Azure Key Vault and Microsoft Entra ID, to ensure secure key access and centralized key management. In general, controlling key access and ensuring efficient bulk encryption and decryption of data is accomplished with the following types of encryption keys:
- Data Encryption Key (DEK) is a symmetric AES-256 key used for bulk encryption and decryption of a partition or a block of data. The resource provider or application instance responsible for encrypting and decrypting a specific block of data needs access to DEKs. A single resource may have many partitions and many DEKs. When a DEK is replaced with a new key, only the data in its associated block must be re-encrypted with the new key. DEK is encrypted with a Key Encryption Key (KEK) and is never stored unencrypted.
- Key Encryption Key (KEK) is an asymmetric RSA-2048 key that's optionally provided by the customer. This key is used to encrypt the Data Encryption Key (DEK) using Azure Key Vault and exists only in Azure Key Vault. KEK is never exposed directly to the resource provider or other services. Permissions in Azure Key Vault control access to KEK, and access to Azure Key Vault must be authenticated through Microsoft Entra ID. Permissions can be revoked to block access to this key and, by extension, the data that's encrypted using this key as the root of the key chain.
Detailed information about various encryption models and specifics on key management for a wide range of Azure platform services are available in the online documentation. Moreover, some Azure services provide more encryption models, including client-side encryption, to further encrypt their data using more granular controls.
The rest of this section covers encryption implementation for key scenarios, including Storage service encryption, Azure Disk encryption, and Azure SQL Database transparent data encryption (TDE).
Ensure data is automatically encrypted
Azure Storage service encryption for data at rest ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is encrypted through FIPS 140-2 validated 256-bit AES encryption. The handling of encryption, decryption, and key management in Azure Storage service encryption is transparent to customers. By default, Microsoft controls the encryption keys and is responsible for rotation, usage, and access. Keys are stored securely and protected inside a Microsoft key store. This option provides the most convenience for customers, given that all Azure Storage services are supported.
However, customers can also choose to manage encryption with their own keys by specifying a:
- Customer-managed key for managing Azure Storage encryption whereby the key is stored in Azure Key Vault. This option provides much flexibility for customers to create, rotate, disable, and revoke access to customer-managed keys. Customers must use Azure Key Vault to store customer-managed keys. Both key vaults and managed HSMs are supported.
- Customer-provided key for encrypting and decrypting Blob Storage only whereby the key can be stored in Azure Key Vault or in another key store on customer premises to meet regulatory compliance requirements. Customer-provided keys enable customers to pass an encryption key to Azure Storage service using Blob APIs as part of the read or write operations.
Storage service encryption is enabled by default for all new and existing storage accounts, and it can't be disabled. The encryption process uses two separate keys as described previously: symmetric AES-256 DEK and asymmetric RSA-2048 KEK.
Disk encryption for virtual machines
Azure Storage service encryption encrypts the page blobs that store Azure virtual machine disks. Additionally, Azure Disk Encryption may optionally be used to encrypt Azure Windows and Linux IaaS virtual machine disks to increase storage isolation and assure cryptographic certainty of customer data stored in Azure. This encryption includes managed disks. Azure disk encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks used by an IaaS virtual machine. The solution is integrated with Azure Key Vault to help customers control and manage the disk encryption keys. Azure Key Vault supports bring your own key (BYOK) scenarios, allowing customers to supply their own encryption keys, which are safeguarded in Azure Key Vault. Azure Disk encryption relies on two encryption keys as described previously: 1) symmetric AES-256 DEK used to encrypt OS and data volumes, and 2) asymmetric RSA-2048 KEK used to encrypt DEK and stored in Azure Key Vault under customer control.
Azure Disk encryption isn't supported by managed HSMs or an on-premises key management service. Only key vaults managed by the Azure Key Vault service can be used to safeguard customer-managed encryption keys for Azure Disk encryption.
Azure SQL Database transparent data encryption
Azure SQL Database provides transparent data encryption (TDE) at rest by default. TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server. Or, by an asymmetric key called TDE Protector, stored under customer control in Azure Key Vault. Key Vault supports bring your own key (BYOK), which enables customers to store TDE Protector in Key Vault and control key management tasks. Including, key permissions, rotation, deletion, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or transferred to the Key Vault from an on-premises HSM device. Customers can also use the Always Encrypted feature of Azure SQL Database, designed specifically to help protect sensitive data. It allows clients to encrypt data inside client applications and never reveal the encryption keys to the database engine. This way, Always Encrypted provides separation between the users who own the data (and can view it) and the users who manage the data (but should have no access).
Next, let's explore how Azure can protect data while it's in use.