Skip to content

Encryption

Options

What Service Description
Raw Storage Azure Storage Service Encryption (SSE) SSE automatically encrypts data in:
  • All Azure Storage services including Azure Managed Disks, Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage
  • Both performance tiers (Standard and Premium)
  • Both deployment models (Resource Manager and classic)
Virtual Machines Azure Disk Encryption (ADE)
  • Encrypt Windows (BitLocker) and Linux (DM-Crypt) IaaS virtual machine disks (OS and data disks)
  • Integrated with Azure Key Vault
Databases Transparent data encryption (TDE)
  • Performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application
  • Supports Azure SQL Database and Azure Data Warehouse
  • By default, TDE is enabled for all newly deployed Azure SQL Databases
  • Key management:
    • TDE encrypts the storage of an entire database by using a symmetric key (database encryption key)
    • By default, Azure provides a unique encryption key per logical SQL Server
    • Bring-your-own-key is also supported with keys stored in Azure Key Vault
Secrets Azure Key Vault Secure secrets store which allows to create multiple secure containers (vaults), backed by hardware security modules (HSMs)

Azure Key Vault

Secret Format
  • A secret is a name-value pair of strings
  • Secret names must be 1-127 characters long, contain only alphanumeric characters and dashes, and must be unique within a vault
  • Key Vault supports two additional kinds of secrets beyond strings: keys and certificates
Vault authentication
  • Key Vault's API uses Azure AD to authenticate users and applications
  • Apps and users authenticate to Key Vault using an Azure AD authentication token
  • Getting a token from Azure AD requires a secret or certificate, because anyone with a token could use the application identity to access all of the secrets in the vault
Vault authentication with managed identities for Azure resources
  • Managed identities for Azure resources is a feature that apps can use to access Key Vault (and other Azure services) without having to manage even a single secret outside of the vault
  • When managed identity is enabled for a web app, Azure activates a separate token-granting REST service specifically for use by the app
    • The app will request tokens from this service instead of directly from Azure AD
    • The app needs to use a secret to access this service, but that secret is injected into the app's environment variables by App Service when it starts up
    • Managed identities also registers the app in Azure AD
  • Once the app has an identity, we can assign vault permissions to it
Vault permissions
  • Vault access policies are based on actions, and are applied across an entire vault
  • Actions: Get (read secret values), List (list names of all secrets), and Set (create or update secret values)