In last article, we have seen what is the meaning of Azure encryption at rest. We also had look at some basic concepts related to it.
In this article, let’s have a look at how encryption at rest can be implemented for three of the well known Azure services. Microsoft is striving to make this feature available in all the storage services.
The purpose of this article is to provide idea about how encryption at rest can be enabled. Once you know the concept and how it can be enabled for few resources, you would be conceptually confident to enable it on any other type of resource.
Virtual Machines
Azure virtual machines provides disk encryption is to safeguard your data and meet the organizational compliance.
Azure disk encryption can be enabled to make sure that the data stored (i.e. at rest) is encrypted, so that even if unauthorized access is somehow obtained by malicious users, then also it would not be beneficial for them as they would not be able to read the data.
Azure uses the Bitlocker feature of Windows on windows machines while DM-Crypt on linux based machines. This is to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
Below are examples of how disk encryption can be enabled on windows and linux based machines.
If you use Azure Security Center, you’re alerted if you have VMs that aren’t encrypted. For more information on Azure Disk encryption, see the Azure Disk Encryption documentation.
SQL Databases
On Azure, there are three ways to get your SQL database up and running:
- Azure SQL on Virtual Machines, in which SQL Server is installed on virtual machine. In this case, encryption at rest means just enabling disk encryption on the virtual machine.
- Azure SQL Databases, which is PaaS offering, meaning the details, of physical server where SQL Server is hosted , are hidden from the consumer of the service. Transparent Data Encryption (TDE) feature is by default enabled on SQL databases. Encryption keys are managed by Azure. Client side encryption model is also supported through Always Encrypted feature
- Azure SQL Managed Instance, which is also PaaS offering where you can host multiple databases as a part of elastic pool. The encryption options provided here are same as in
Azure SQL databases.
Azure Storage
Azure Storage provides multiple services including Blob Storage, Files Storage, Queue Storage and Table Storage. Azure storage supports the server side encryption model. It is by default enabled and by default it uses Microsoft managed keys.
It also supports client side encryption model. For more information, see Storage Service Encryption using customer-managed keys in Azure Key Vault.
If you open the storage account and select Settings -> Encryption option from left navigation, then you can see that by default Microsoft managed keys is selected. You can also enable your own keys by selecting other option and then providing key vault name.
I hope you liked this article. Let me know your thoughts.
