Share on Facebook0Share on Google+0Share on LinkedIn0Share on Reddit4Tweet about this on Twitter0

As we referenced several times, security is one of the main topics for cloud providers looking to guarantee privacy for their customers’ data and information. Microsoft just announced the public availability for Storage Service Encryption (SSE) for Azure Managed Disks, with no additional cost.

Azure Storage Service Encryption

Azure Managed Disks were introduced by Microsoft some while back to facilitate the storage administration for Azure admins. Previously, admins had to create storage accounts to hold the disks (VHD files) for your Azure VMs. As new VMs and/or new disks were being added, the admin had to make sure you created additional storage accounts so you didn’t exceed the IOPS limit for storage with any of your disks. With Managed Disks, the storage account limits do not apply anymore (such as 20,000 IOPS / account).

StarWind Virtual SAN eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows StarWind Virtual SAN to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.
Learn more about ➡ StarWind Virtual SAN.

Storage Service Encryption (SSE) enables encryption-at-rest, automatically encrypts data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users. All data is encrypted using 256-bit AES encryption.

Storage Account Encryption window

SSE can be used for Azure Blob Storage and File Storage. It works for the following:

  • Standard Storage: General purpose storage accounts for Blobs and File Storage and Blob Storage accounts
  • Premium storage
  • All redundancy levels (LRS, ZRS, GRS, RA-GRS)
  • Azure Resource Manager storage accounts (but not classic)
  • All regions.

Storage Service Encryption has some limitations to consider, to name a few: Encryption of classic storage accounts is not supported; SSE only encrypts new data (encrypting existing data will be available in the near future); table and queues data will not be encrypted.

Azure Storage service encryption window

The keys used by SSE are fully managed by Microsoft, for the moment it’s not supported the scenario where customers use their own keys for encryption but it could be available as an upcoming feature.

It is also important to note that Storage Service Encryption it’s not the same as Azure Disk Encryption, the latter is used to encrypt OS and data disks within the Azure VMs, while SSE encrypts data in Azure Blob Storage.

Views All Time
5
Views Today
10
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Augusto Alvarez
Augusto Alvarez
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.