Azure Storage Service Encryption (SSE) is a new feature released that enables another option for maintaining data encryption at rest. It is currently in preview and supports block blobs, page blobs and append blobs.
Previously there had been a client side encryption that could be written in to applications that would encrypt data before it was written to storage accounts and then decrypt during retrieval. With Storage Service Encryption this new feature enables this per storage account and all data that is written to and retrieved from Azure storage will be encrypted and decrypted seamlessly.
This means that anything that is written to the blob service of the storage accounts where storage service encryption is enabled will be encrypted. For example, web applications that put or get to the blob service all data will be encrypted in the storage account. Azure IaaS VMs provide another option or additional level of security for data at rest. SQL Data files that are written directly to blob can now have another option for encryption at rest that does not require the complexity of configuring SQL TDE and Microsoft indicate that there are no perceivable impacts to latency.
At the time of writing Microsoft fully maintain and rotate the encryption keys used by the SSE feature, but as future developments continue to be worked on you could assume that this would integrate with Key Vault at some stage.
Enabling Storage Service Encryption
Currently SSE is in preview and is only available in select regions. And you must register for the service by running some PowerShell cmdlets.
#Register Storage Resource Provider
Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.Storage"
#Register the SSE feature
Register-AzureRmProviderFeature -FeatureName "EncryptionAtRest" -ProviderNamespace "Microsoft.Storage"
#Check status of SSE registration
Get-AzureRmProviderFeature -FeatureName "EncryptionAtRest" -ProviderNamespace "Microsoft.Storage"
FeatureName ProviderName RegistrationState
----------- ------------ -----------------
EncryptionAtRest Microsoft.Storage Registered
When the registration state returns as “Registered” it has been successfully enabled on your subscription and you can continue testing.
There are a few other things to consider when using SSE:
- You can only enable SSE on new Azure RM Storage Accounts that were created after the preview began
- Changing the state of encryption on the storage account does not change the state of data already within the storage account
After it has been enabled at the subscription level you can now enable it on the Storage Account. It supports all the replication configurations of storage accounts and supports both Premium and Standard accounts. To enable it you browse to the Storage Account properties and choose “Encryption”
That’s it, encryption is enabled at the blob service level and all data written to the storage account will be encrypted at rest.