As we referenced several times, security is one of the main topics for cloud providers looking to guarantee privacy for their customers’ data and information. Microsoft just announced the public availability for Storage Service Encryption (SSE) for Azure Managed Disks, with no additional cost.

Azure Storage Service Encryption

Azure Managed Disks were introduced by Microsoft some while back to facilitate the storage administration for Azure admins. Previously, admins had to create storage accounts to hold the disks (VHD files) for your Azure VMs. As new VMs and/or new disks were being added, the admin had to make sure you created additional storage accounts so you didn’t exceed the IOPS limit for storage with any of your disks. With Managed Disks, the storage account limits do not apply anymore (such as 20,000 IOPS / account).

Storage Service Encryption (SSE) enables encryption-at-rest, automatically encrypts data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users. All data is encrypted using 256-bit AES encryption.

Storage Account Encryption window

SSE can be used for Azure Blob Storage and File Storage. It works for the following:

  • Standard Storage: General purpose storage accounts for Blobs and File Storage and Blob Storage accounts
  • Premium storage
  • All redundancy levels (LRS, ZRS, GRS, RA-GRS)
  • Azure Resource Manager storage accounts (but not classic)
  • All regions.

Storage Service Encryption has some limitations to consider, to name a few: Encryption of classic storage accounts is not supported; SSE only encrypts new data (encrypting existing data will be available in the near future); table and queues data will not be encrypted.

Azure Storage service encryption window

The keys used by SSE are fully managed by Microsoft, for the moment it’s not supported the scenario where customers use their own keys for encryption but it could be available as an upcoming feature.

It is also important to note that Storage Service Encryption it’s not the same as Azure Disk Encryption, the latter is used to encrypt OS and data disks within the Azure VMs, while SSE encrypts data in Azure Blob Storage.

Back to blog