You are currently viewing Understanding basics of Azure Encryption at Rest

Understanding basics of Azure Encryption at Rest

In this article, let’s have look at what is the meaning of Azure’s encryption at rest and basic concepts around this term.


Imagine that you own very big software application which generates a lot of data. Some of that data is very critical to success of your business. The data is stored on some disks (either on premise or in some cloud environment).

So, what will happen if a malicious user gets access to those disks ?

Should you just assume that you own the disks and hence nobody can access the disks and that’s why no other person can get access that data ? Certainly it should not be assumed.

I hope you might have understood what I wanted to tell in the above mentioned scenario. The data which is stored on the disks should not be accessible to the malicious users. How can this be possible ?

What is the solution ?

Encrypting the data which is persisted on disk is known as encryption at rest. Most of the designs in Azure use symmetric encryption algorithms to make sure that the data is encrypted and secured.

This means same key is used for encryption and later for decryption of the data. The key management is transparently done by Azure services. If you want to manage the encryption keys, Azure provides that option too.

Why ?

Security is of paramount importance for any organization and application. Making sure that the organization’s data and user’s data is safe is one of the main responsibilities of businesses.

Apart from security, there can be other reasons like compliance to certain industry standards and government regulations such as HIPAA, PCI and FedRAMP, etc.

In addition, encryption at rest provides defense-in-depth mechanism. Azure provides compliant services and comprehensive facility for physical security, data access control and auditing. Hence, encryption at rest provides additional mechanism in case all other security measures fail.


As stated earlier, encryption at rest involves symmetric algorithm using same key for data encryption and decryption. Below are some of the basic components that are used by Azure services in order to provide encryption at rest feature. Please note that actual implementation for different Azure services may vary. But following description should give a high level idea about how it works.

Azure Key Vault

The encryption keys are important resource for encryption at rest implementation. Azure key vault is recommended to store the keys securely so that only authorized principals can have access to the key.

The Azure services can automatically manage the encryption keys. Or alternatively, users can be granted access on key vault and customers can define the keys and manage them.

Azure AD

Azure Active Directory is the identity and access management service provided by Azure. Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts.

Encryption keys

Encryption keys can be stored in the key vault thus centralizing all the keys. Limiting the access to encryption keys reduces the surface area of risk The Azure services can be granted access on the key vault to automatically read the key and encrypt the data. There are two types of keys:

  • Data Encryption keys, which are used to encrypt blocks or partition of data. When the data encryption keys are replaced, the data needs to be decrypted and encrypted again using new keys.
  • Key Encryption Keys, which are used to encrypt the data encryption keys.

Implementation models

There are two main types of implementation models.

  • Server Side Encryption Model
  • Client Side Encryption Model

Server Side Encryption Model

The server side encryption model means application sends plain text data to Azure services. Azure services then encrypt or decrypt the data – using either service managed keys or customer managed keys.

Application is not aware of encryption keys and the encryption at rest is completely transparent to the application.

The server side encryption model further can be implemented using 3 different techniques. Below are the high level descriptions of those techniques.

Server side encryption using service managed keys

Azure resource provider perform encryption and decryption of data. Microsoft Azure manages the keys. Full cloud implementation and the encryption at rest is kind of transparent to the end user.

Server side encryption using customer managed keys in key vault

Azure resource provider performs encryption and decryption of data. Microsoft does not manages keys in this case, but customers manage the keys via Azure key vault.

Server side encryption using customer managed keys from customer-controlled hardware

This is also like previous option, encryption and decryption done by Azure resource provider. Customers manage the keys via customer-controlled hardware.

Client Side Encryption Model

In this model the encryption and decryption is taken care by the applications. Because application is taking care of encryption and decryption of data, the encryption keys are also managed by applications.

Azure is not aware of actual data at all – because Azure always gets encrypted data, stores it and returns the encrypted data whenever it is asked again by application.

I hope this article helped you. Let me know your thoughts.

Leave a ReplyCancel reply