In this video, learn about Azure Blob encryption—both for data at rest and in transit. This video shows how to enable encryption on an Azure storage account.
- [Narrator] Another way to secure our Azure Storage account is to implement Azure Blob Encryption. This can be done for your data in transit and at rest. Let's go ahead and explore this in a little bit more detail. We'll first look at the Azure File Shares in Encryption in Transit. When using Azure File Shares, we are typically using these on an Azure virtual machine. And you'll want to use SMB 3.0 because SMB 2.1 does not support encryption.
And only connections within the same Azure region are permitted. SMB 3.0 supports encryption and it is only available on file shares when using Server 2012 R2 and above, or using the client offering system Windows 8 and above. When using SMB 3.0, you are able to use connections that are cross-region and even down to the desktop level. Next let's go ahead and take a look at Encryption in Transit. And this will be for a client-side encryption.
When using client-side encryption, the data is encrypted at the client. And it is decrypted after retrieving from Azure Storage. So it's never decrypted during Transit. If we look at Encryption at Rest, we can use Storage Service Encryption, or SSE. And using SSE ensures that data written to Azure Storage is automatically encrypted. And Data read from Azure storage is decrypted by the storage service.
Unless that data needs to be accessed, it is encrypted. We can also have Client-Side Encryption for Data at Rest, just like we had the Client-Side Encryption for Data in Transit. And again this is no different. The data is encrypted at the client and it is decrypted after retrieving data from Azure Storage. And finally, we can go ahead and encrypt our virtual machine disk as well. Here, we actually encrypt the operating system and the data disk.
Sometimes it's easier to look at a chart to compare across the different layers. So if we look at client-side encryption, we can see that encrypts data before transit encrypts data at rest. It is managed by the application. Keep in mind, the code must be added to the application itself in order to encrypt and decrypt the data. Not only can we encrypt Blob Storage, but we can also encrypt table data and HUE data. The storage system encryption encrypts data at rest. Now keep in mind, though, it will only encrypt new data.
So if you go ahead and encrypt it now, anything that is then put into Azure Storage is then encrypted. Anything that you've previously put there will not be. It encrypts blobs only. And there's no impact to the performance of the storage when you use Storage Service Encryption. And finally, Azure Disk Encryption we use to encrypt our Azure virtual machines and as I just said, it will encrypt both the data and the operating system disk. Let's go ahead and take a look at this in action. I've already logged in to Azure.
I'm in the DesignStorage resource group and we have a storage account. I'm going to go ahead and open the blade for the storage account. And here we're going to scroll down to the Blob Service. Now I can go ahead and under Blob Service, I can open up the encryption blade. And all I need to do to enable storage service encryption for a data at rest is to click Enabled. That's it. I'm going to go ahead and click Save. Done.
We can also do it for the file service. I'm going to come down under File Service. Again, open the Encryption blade. And to protect that data at rest, click Enable. And click Save. And that's all there is to it. Encrypting your data, both in transit and at rest, will help keep your data safe and help you also meet any compliant policies that you may have in place.
- Designing data storage
- Azure Blob storage
- Creating Blob storage using PowerShell
- Azure Cosmos DB
- Securing Azure SQL Database
- Selecting the appropriate storage option
- Virtual machine storage tiers
- Managed vs. Unmanaged disks