Encryption enables the transformation of information for subsequent decryption and therefore reading by authorized entities. Data in “plain text” is converted to a cryptogram linked to a key, and rendered readable only by means of this key. Microsoft Azure offers a variety of encryption types and information or systems to be encrypted.
Azure Server-Side Encryption:
Azure SSE encrypts managed disks and storage resources, and protects data at rest. By default, encryption employs platform-managed keys, with 256-bit AES encryption being the case.
When using platform-managed keys, Azure automatically controls encryption and decryption. For organizations that can trust Azure in terms of compliance and that are not regulated more strictly, this default configuration suffices for a start.
Should stricter requirements apply, resources can be protected with an organization’s internal keys. The keys to the encrypted resources must then be made accessible. The Azure Key Vault affords this accessibility.
Azure Key Vault:
The Azure Key Vault serves the secure storage of and access to confidential information. In the Azure Key Vault you can store API keys, passwords, certificates or keys, for example. Access to the Key Vault is controlled via ACL through identity authentication and access restrictions. Accessing can be read out through detailed logs.
Azure SQL encryption
You can also encrypt SQL databases in Azure. Two different technologies are available for this purpose:
- Transparent Data Encryption (TDE)
- Always Encrypted
TDE encrypts the complete database using an AES algorithm. This encryption protects data at rest against hardware theft and illegal data recovery, for example. Once loaded to the memory, data can be read by any authorized entity (such as administrators or applications). Always Encrypted (a client-side encryption measure) additionally encrypts data “in use”.
Should higher protection be required, Always Encrypted is the solution for performing operations on encrypted SQL databases.
Combined with the aforementioned encryption options, the Azure Key Vault ensures data & information security when operating resources in Azure.