Security
Azure Storage automatically encrypts your data using 256-bit AES encryption when persisting to the cloud. Encryption is enabled for all storage accounts and cannot be disabled regardless of performance, or access tier and in both regions if your redundancy setup requires.
Key management
Microsoft manages storage account encryption keys by default. You can manage your own encryption keys as well if you prefer. Customer encryption can be performed in two ways:
customer-managed
You specify a key in Key Vault or "Key Vault Managed Hardware Security Model (HSM)"customer-provided
You specify a key when storing a particular blob, which is then used to encrypt the data.
The following table compares key management options
| Key management parameter | Microsoft-managed keys | Customer-managed keys | Customer-provided keys |
|---|---|---|---|
| Encryption/decryption operations | Azure | Azure | Azure |
| Azure Storage services supported | All | Blob Storage, Azure Files | Blob Storage |
| Key storage | Microsoft key store | Azure Key Vault or Key Vault HSM | Customer's own key store |
| Key rotation responsibility | Microsoft | Customer | Customer |
| Key control | Microsoft | Customer | Customer |
| Key scope | Account (default), container, or blob | Account (default), container, or blob | N/A |
Client-side encryption
The Blob Storage client libraries for .NET Java and Python all support client side encryption before uploading to Azure. There are two versions of client-side encryption available:
Version 1
Cipher Block Chaining (CBC) with AES, supported by blob, queue and table storage SDKsVersion 2
Galois/Counter Mode (GCM) with AES, supported by blob and queue storage SDKs