Raw Storage |
Azure Storage Service Encryption (SSE) |
SSE automatically encrypts data in:- All Azure Storage services including Azure Managed Disks, Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage
- Both performance tiers (Standard and Premium)
- Both deployment models (Resource Manager and classic)
|
Virtual Machines |
Azure Disk Encryption (ADE) |
- Encrypt Windows (BitLocker) and Linux (DM-Crypt) IaaS virtual machine disks (OS and data disks)
- Integrated with Azure Key Vault
|
Databases |
Transparent data encryption (TDE) |
- Performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application
- Supports Azure SQL Database and Azure Data Warehouse
- By default, TDE is enabled for all newly deployed Azure SQL Databases
- Key management:
- TDE encrypts the storage of an entire database by using a symmetric key (database encryption key)
- By default, Azure provides a unique encryption key per logical SQL Server
- Bring-your-own-key is also supported with keys stored in Azure Key Vault
|
Secrets |
Azure Key Vault |
Secure secrets store which allows to create multiple secure containers (vaults), backed by hardware security modules (HSMs) |