hamburger icon close icon

Azure-Encrypted Storage and Azure Key Vault Explained

Storage encryption processes obscure and protect your data from unauthorized access and usage. In Azure storage services such as Azure NetApp Files, encryption is a built-in security mechanism that protects data at-rest.

You can manage Azure-encrypted storage data through Azure Key Vault. In this post, we’ll explain how Azure-encrypted storage works, and show how Azure NetApp Files can help secure your data at-rest and in-transit during and after migration.

In this article, you will learn:

What Is Storage Encryption?

Storage encryption uses encryption algorithms to obscure and protect data in or being moved to storage devices. The practice of encryption is an essential part of securing storage and is becoming common practice in organizations using storage area networks (SANs) and cloud storage resources.

The purpose of storage encryption is to harden devices, boosting security for a relatively low cost investment. When encrypting storage, you can use the same encryption universally or vary encryption according to file, folder, or storage volume.

Additionally, you can use different encryption standards for data at-rest vs in-transit. By diversifying the encryption standards and keys you use, you can segment your storage and data. This segmentation enables you to limit the damage attackers can cause with compromised keys.

Azure Storage Encryption

Azure Storage services come with built-in support for encryption, based on the 256-bit AES encryption standard. This standard is FIPS 140-2 compliant and is one of the strongest methods available. Azure encrypted storage is comparable to the BitLocker encryption that is available for Windows systems. Built-in encryption is available at no additional charge and cannot be disabled.

When you deploy storage resources, encryption is automatically applied and managed for you. This is true for both standard storage accounts and those under Resource Manager. It also applies regardless of the performance tier or access tier your resources are under.

In storage, encryption is enforced for any archived storage blobs. It is also applied to redundant data in both your primary and secondary storage locations. Azure encryption covers all storage resources, including disks, blobs, files, tables, and queues as well as any attached metadata.

One exception to storage encryption is for blobs written to storage before October 20, 2017. For these resources, encryption is applied through a background process and was not applied at the time of creation. If you have blobs from before this time that have not yet been encrypted, you can force the process by rewriting the blob to your storage.

Key management
By default, your encryption is performed with Microsoft-managed keys. You also have the choice of using self-managed keys. To use self-managed keys, you can either use Azure Key Vault or you can specify a key each time a storage request is made.

If you select the Azure Key Vault option, encryption and decryption are transparent, as with managed keys. If you choose to specify a key, you need to submit the key with each read/write request from your client.

Azure Encryption At-Rest

Encryption at-rest is a primary focus of storage encryption, designed to protect data while it is not actively being used. In Azure, encryption at-rest is based on a symmetric model which enables you to encrypt and decrypt data quickly. This means that the same key is used for both encryption and decryption.

When keys are created, each is securely stored with strict audit policies and identity-based access controls. Keys may also be encrypted with a separate key, stored in Azure Key Vault, to ensure that data remains secure.

Encryption at-rest practices are designed to ensure that organizations can meet compliance and data governance standards. This includes regulations defined by PCI, HIPAA, and FedRAMP. By layering encryption at-rest with existing security measures, including data access controls and physical security, Azure can help guarantee data and storage security.

Implementing Azure Key Vault

As mentioned, Azure Key Vault is a service offered by Azure that you can use to manage encryption keys. You can also use this service to manage any secrets required for your services or applications. Secrets are credentials, keys, or other sensitive information that are used to securely identify users or services.

Through Azure Key Vault, you can create keys, migrate keys between environments, and manage access rights to keys. You can also monitor and audit any key use through logging. You can then send these logs to Azure HDInsight or a third-party solution to analyze use and detect potential abuse or threats.

Best practices

When using Azure Key Vault, you should implement the following best practices to maximize your security.

Define your access scopes
Through Azure Key Vault you can restrict access with roles defined in the Role-Based Access Control (RBAC) utility. These roles enable you to limit the scope of a user’s permissions to specific key vaults, resource groups, or subscriptions. RBAC comes with pre-defined roles you can apply, such as Key Vault Contributor. You can also define custom roles.

Store certificates in your vault
Security certificates can be just as valuable as your encryption keys since attackers can use certificates to spoof or compromise services. To prevent the theft or modification of certificates, you can store them in Azure Key Vault. This method has the added advantage of enabling you to centrally manage certificates.

Ensure disaster recovery
You can ensure that deleted key vaults or vault objects are recoverable by enabling built-in protection features. These features help protect you from accidental or malicious purges or deletions of keys. Without recovery features, the loss of keys is the same as the loss of data since you cannot decrypt encrypted data without the correct key.

Azure-Encrypted Storage with Azure NetApp Files

Azure NetApp Files is a Microsoft Azure file storage service built on NetApp technology, giving you the file capabilities in Azure even your core business applications require.

Get enterprise-grade data management and storage—with built-in encryption at rest—to Azure so you can manage your workloads and applications with ease, and move all of your file-based applications to the cloud.

Azure NetApp Files solves availability and performance challenges for enterprises that want to move mission-critical applications to the cloud, including workloads like HPC, SAP, Linux, Oracle and SQL Server workloads, Windows Virtual Desktop, and more.

In particular, Azure NetApp Files allows you to migrate more applications to Azure–even your business-critical workloads–with built-in security and extreme file throughput with sub-millisecond response times.

Want to get started? See Azure NetApp Files for yourself with a free demo.

Cloud Data Services