SOLVED

Encryption of data at rest in Azure

Copper Contributor

Hello,

While checking the Azure documentation on data encryption I read about tenant root keys (https://learn.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#tenant-root...) and about encryption offered at the service level for data at rest (https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-i...).

 

My understanding is that while the root encryption keys are managed at the tenant level and data at rest is encrypted at the service level, data at rest is stored encrypted with one key (i.e. one layer of encryption is applied to data). The only time there we speak about double encryption (i.e. data stored is encrypted twice) is in the case of the Double Key Encryption (DKE) where first the client encrypts the data and then Azure adds another layer of encryption.

Is my understanding correct ? Thank you for your help.

 

4 Replies
best response confirmed by SoniaDuc (Copper Contributor)
Solution
Hi!
Yes :) Data at rest in Azure is typically encrypted with one layer of encryption, where the data encryption keys (DEKs) are managed by Azure and stored encrypted with the tenant root key. However, Double Key Encryption (DKE) provides an option for double encryption by allowing clients to encrypt the data with their own key before Azure adds another layer of encryption with the tenant root key.

Thank you@Fjorgego for your answer.

Hello,
Looking more into the Azure documentation, it seems there is infrastructure encryption (https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption) that can apply the second layer of encryption. It can be activated for several services (e.g. Azure storage, Azure disk storage).
1 best response

Accepted Solutions
best response confirmed by SoniaDuc (Copper Contributor)
Solution
Hi!
Yes :) Data at rest in Azure is typically encrypted with one layer of encryption, where the data encryption keys (DEKs) are managed by Azure and stored encrypted with the tenant root key. However, Double Key Encryption (DKE) provides an option for double encryption by allowing clients to encrypt the data with their own key before Azure adds another layer of encryption with the tenant root key.

View solution in original post