Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

Azure Introduces Storage Service Encryption for Managed Disks with No Additional Cost

  • June 19, 2017
  • 5 min read
Augusto Alvarez
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.

As we referenced several times, security is one of the main topics for cloud providers looking to guarantee privacy for their customers’ data and information. Microsoft just announced the public availability for Storage Service Encryption (SSE) for Azure Managed Disks, with no additional cost.

Azure Storage Service Encryption

Azure Managed Disks were introduced by Microsoft some while back to facilitate the storage administration for Azure admins. Previously, admins had to create storage accounts to hold the disks (VHD files) for your Azure VMs. As new VMs and/or new disks were being added, the admin had to make sure you created additional storage accounts so you didn’t exceed the IOPS limit for storage with any of your disks. With Managed Disks, the storage account limits do not apply anymore (such as 20,000 IOPS / account).

Storage Service Encryption (SSE) enables encryption-at-rest, automatically encrypts data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users. All data is encrypted using 256-bit AES encryption.

Storage Account Encryption window

SSE can be used for Azure Blob Storage and File Storage. It works for the following:

  • Standard Storage: General purpose storage accounts for Blobs and File Storage and Blob Storage accounts
  • Premium storage
  • All redundancy levels (LRS, ZRS, GRS, RA-GRS)
  • Azure Resource Manager storage accounts (but not classic)
  • All regions.

Storage Service Encryption has some limitations to consider, to name a few: Encryption of classic storage accounts is not supported; SSE only encrypts new data (encrypting existing data will be available in the near future); table and queues data will not be encrypted.

Azure Storage service encryption window

The keys used by SSE are fully managed by Microsoft, for the moment it’s not supported the scenario where customers use their own keys for encryption but it could be available as an upcoming feature.

It is also important to note that Storage Service Encryption it’s not the same as Azure Disk Encryption, the latter is used to encrypt OS and data disks within the Azure VMs, while SSE encrypts data in Azure Blob Storage.

Related materials:

Tags
Hey! Found Augusto’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!