In a previous article I talked about Azure storage, Microsoft’s offering for cloud based storage. Today Storage Service Encryption (SSE) for Data at Rest has become general available for Azure Storage. This means you can now encrypt data at rest with AES-256 encryption. This is a welcome addition, especially since Amazon Web Services supports encryption of data at rest for a long time. Moreover, Microsoft already provided encryption options for Data in Transit, for example by using https or SMB 3.0.
It was already possible to encrypt data on Azure storage using client side encryption, in this scenario the application that has access to a storage account is responsible for encrypting and decrypting the data. A common use case here is backup solutions that use Azure storage as a backup target. With SSE, encryption will integral part of the Azure storage proposition providing new scenarios for encryption.
SSE is now available for page blobs, block blobs and append blobs, for both standard and premium storage and for all redundancy levels (LRS, ZRS, GRS, RA-GRS). Note that encryption of classic storage accounts and classic storage accounts that are migrated to the Resource Manager model is not supported. You can now encrypt virtual harddisk (VHDs) of your virtual machines and all other files stored on a (supported) storage type. Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval.
Configure SSE
Configuring Storage Service Encryption is simple and straight forward. Look for the blob service section in your storage account and click encryption on the settings blade. Select enable or disable to configure encryption.
Important: SSE will only encrypt new blobs that are written to the storage account. Blobs that are already in the storage account, will not be encrypted until you read and then write them. There are no additional costs when enabling the encrypt option, which is by the way available in Azure all regions.
Read more about SSE here.