Forum Discussion
Encryption of data at rest in Azure
Hello,
While checking the Azure documentation on data encryption I read about tenant root keys (https://learn.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#tenant-root-keys-generated-by-microsoft) and about encryption offered at the service level for data at rest (https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services).
My understanding is that while the root encryption keys are managed at the tenant level and data at rest is encrypted at the service level, data at rest is stored encrypted with one key (i.e. one layer of encryption is applied to data). The only time there we speak about double encryption (i.e. data stored is encrypted twice) is in the case of the Double Key Encryption (DKE) where first the client encrypts the data and then Azure adds another layer of encryption.
Is my understanding correct ? Thank you for your help.
- Hi!
Yes 🙂 Data at rest in Azure is typically encrypted with one layer of encryption, where the data encryption keys (DEKs) are managed by Azure and stored encrypted with the tenant root key. However, Double Key Encryption (DKE) provides an option for double encryption by allowing clients to encrypt the data with their own key before Azure adds another layer of encryption with the tenant root key.
- FjorgegoCopper ContributorHi!
Yes 🙂 Data at rest in Azure is typically encrypted with one layer of encryption, where the data encryption keys (DEKs) are managed by Azure and stored encrypted with the tenant root key. However, Double Key Encryption (DKE) provides an option for double encryption by allowing clients to encrypt the data with their own key before Azure adds another layer of encryption with the tenant root key.- SoniaDucCopper ContributorHello,
Looking more into the Azure documentation, it seems there is infrastructure encryption (https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption) that can apply the second layer of encryption. It can be activated for several services (e.g. Azure storage, Azure disk storage).
Yes, your understanding is correct:
Azure Data Encryption-at-Rest - Azure Security | Microsoft Learn