For most customers, security is not only of the utmost importance but also a deciding factor in choosing a public cloud provider. Customers require their data to be encrypted at rest as per their security and compliance needs. We at Azure Storage take security and privacy seriously and work tirelessly to help protect your data. Azure customers already benefit from Storage Service Encryption (SSE) for Azure Blob and File storage using Microsoft Managed Keys or Customer Managed keys for Azure Blob storage.
Central to our strategy in ensuring protection of our customer’s data, we are taking security a step further, by enabling encryption by default using Microsoft Managed Keys for all data written to Azure services (Blob, File, Table and Queue storage), for all storage accounts (Azure Resource Manager and Classic storage accounts), both new and existing. SSE for managed disks, including import scenario, will also be supported. To learn more, visit the managed disks & SSE FAQ.
All data that is written into Azure storage will be automatically encrypted by Storage service prior to persisting, and decrypted prior to retrieval. Encryption and decryption are completely transparent to the user. All data is encrypted using 256-bit AES encryption, also known as AES-256—one of the strongest block ciphers available. With encryption enabled by default, customers do not have to make any changes to their applications. To verify encryption is enabled for their storage accounts, customers can either query the status of encrypted data for blobs and file (not available for table and queue storage), or check account properties. There is neither any additional charge, nor any performance degradation in using this feature.
We will be enabling this capability region by region, expanding to all Azure regions and Azure clouds in the coming weeks.
Visit documentation to learn more about Storage Service Encryption with Service Managed Keys and Storage Service Encryption with Customer Managed Keys.