Forum Discussion

SoniaDuc's avatar
SoniaDuc
Copper Contributor
Jul 13, 2023

Encryption of data at rest in Azure

Hello,

While checking the Azure documentation on data encryption I read about tenant root keys (https://learn.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#tenant-root-keys-generated-by-microsoft) and about encryption offered at the service level for data at rest (https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services).

 

My understanding is that while the root encryption keys are managed at the tenant level and data at rest is encrypted at the service level, data at rest is stored encrypted with one key (i.e. one layer of encryption is applied to data). The only time there we speak about double encryption (i.e. data stored is encrypted twice) is in the case of the Double Key Encryption (DKE) where first the client encrypts the data and then Azure adds another layer of encryption.

Is my understanding correct ? Thank you for your help.

 

  • Hi!
    Yes 🙂 Data at rest in Azure is typically encrypted with one layer of encryption, where the data encryption keys (DEKs) are managed by Azure and stored encrypted with the tenant root key. However, Double Key Encryption (DKE) provides an option for double encryption by allowing clients to encrypt the data with their own key before Azure adds another layer of encryption with the tenant root key.

Resources