Encryption at Rest Coming to Azure Blob Storage in Preview

Microsoft has announced new encryption capabilities coming to Azure Blob Storage.  The result is that all data stored within blob storage is now encrypted at rest using 256-bit AES Encryption.

Portal Screenshot showing Encryption properties

The new feature is only available in preview and only in particular regions (East Asia for Standard Storage and Japan East for Premium Storage).

The encryption is transparent to all the existing interfaces into Azure Storage, e.g. AZCOPY, PowerShell, .NET APIs, etc. so no changes are required to implement the feature.

The strength of any encryption is the management of the keys used to encrypt and in this case the keys are created and managed by Microsoft.  However, they are looking to enable organizations who want to manage their own keys so that they are never in Microsoft’s hands (a big concern for organizations who don’t want their data requested by NSA and other government agencies).

Q: Who manages the encryption keys?

A: The keys are managed by Microsoft.

Q: Can I use my own encryption keys?

A: We are working on providing capabilities for customers to bring their own encryption keys.

Q: Can I revoke access to the encryption keys?

A: Not at this time; the keys are fully managed by Microsoft.