π 1. Types of Encryption in Azure Storageπ
a. Encryption at Rest (Server-Side Encryption, SSE)π
- All data written to Azure Storage (Blob, File, Queue, Table, Disk) is automatically encrypted.
- Uses 256-bit AES encryption (FIPS 140-2 compliant).
- Happens before persisting data to disk and is transparent to you.
- No extra cost.
You can choose key management options:
- Microsoft-managed keys (default) β Azure manages keys automatically.
-
Customer-managed keys (CMK) β You provide keys in Azure Key Vault or Managed HSM.
-
Useful for compliance and rotation policies.
b. Encryption in Transitπ
- All communications to Azure Storage use HTTPS/TLS.
- You can enforce HTTPS-only traffic by disabling HTTP at the storage account level.
- SMB 3.0 encryption is used for Azure Files.
c. Client-Side Encryptionπ
- Optional, you encrypt data before uploading to Azure.
- You manage keys and encryption.
- Useful for very sensitive scenarios where you want full control.
π 2. How to Enable / Configureπ
By default:π
- Encryption at rest (SSE with Microsoft-managed keys) is always on, you donβt have to do anything.
To use Customer-Managed Keys (CMK):π
- Create or use an Azure Key Vault.
- Generate or import your encryption key.
- Grant the Storage Account access permissions to the key.
- Configure the Storage Account to use that key for encryption.
π 3. Example β Azure CLIπ
Enable CMK with a Key Vault key:
az storage account update \
--name mystorageaccount \
--resource-group myResourceGroup \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault https://mykeyvault.vault.azure.net/ \
--encryption-key-name myKey
β 4. Quick Summaryπ
- At Rest β Always encrypted with AES-256.
- In Transit β Encrypted with TLS (HTTPS/SMB).
- Keys β Microsoft-managed by default, or CMK via Key Vault/HSM.
- Extra β You can do client-side encryption for max control.
π Do you want me to also show you how Spark / Databricks integrates with Azure Storage encryption (e.g., when reading/writing to ADLS Gen2)?