Encryption in Azure

Technological safeguards in Azure, such as encrypted communications and operational processes, help keep your data secure. You also have the flexibility to implement additional encryption features and manage your own cryptographic keys. Regardless of customer configuration, Microsoft applies encryption to protect customer data in Azure. Microsoft also enables you to control your data hosted in Azure through a range of advanced technologies to encrypt, control, and manage cryptographic keys, and control and audit access to data. In addition, Azure Storage provides a comprehensive set of security capabilities which together enable developers to build secure applications.

Azure offers many mechanisms for protecting data as it moves from one location to another. Microsoft uses TLS to protect data when it's traveling between the cloud services and customers. Microsoft's data centers negotiate a TLS connection with client systems that connect to Azure services. Forward Secrecy (FS) protects connections between customers' client systems and Microsoft's cloud services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. This combination makes it difficult for someone to intercept and access data that is in-transit.

Data can be secured in transit between an application and Azure by using client-side encryption, HTTPS, or SMB 3.0. You can enable encryption for traffic between your own virtual machines (VMs) and your users. With Azure Virtual Networks, you can use the industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure as well as between the VMs located on your Virtual Network.

For data at rest, Azure offers many encryption options, such as support for AES-256, allowing you to choose the data storage scenario that best meets your needs. Data can be automatically encrypted when written to Azure Storage using Storage Service Encryption (SSE), and operating system and data disks used by VMs can be encrypted. For more information, see Security recommendations for Windows virtual machines in Azure. In addition, delegated access to data objects in Azure Storage can be granted using Shared Access Signatures. Azure also provides encryption for data at rest using Transparent Data Encryption for Azure SQL Database and Data Warehouse.

For more information about encryption in Azure, see Azure encryption overview and Azure Data Encryption-at-Rest.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Azure Disk Encryption

Azure Disk Encryption enables you to encrypt your Windows and Linux Infrastructure as a Service (IaaS) VM disks. Azure Disk Encryption uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume-level encryption for the operating system and the data disks. It also ensures that all data on the VM disks are encrypted at rest in your Azure storage. Azure Disk Encryption is integrated with Azure Key Vault to help you control, manage, and audit the use of the encryption keys and secrets.

For more information, see Security recommendations for Windows virtual machines in Azure.

Azure Storage Service Encryption

With Azure Storage Service Encryption, Azure Storage automatically encrypts data prior to persisting it to storage and decrypts data prior to retrieval. The encryption, decryption, and key management processes are totally transparent to users. Azure Storage Service Encryption can be used for Azure Blob Storage and Azure Files. You can also use Microsoft-managed encryption keys with Azure Storage Service Encryption, or you can use your own encryption keys. (For information on using your own keys, see Storage Service Encryption using customer managed keys in Azure Key Vault. For information about using Microsoft-managed keys, see Storage Service Encryption for Data at Rest.) In addition, you can automate the use of encryption. For example, you can programmatically enable or disable Storage Service Encryption on a storage account using the Azure Storage Resource Provider REST API, the Storage Resource Provider Client Library for .NET, Azure PowerShell, or the Azure CLI.

Some Microsoft 365 services use Azure for storing data. For example, SharePoint Online and OneDrive for Business store data in Azure Blob storage, and Microsoft Teams stores data for its chat service in tables, blobs, and queues. In addition, the Compliance Manager feature in the Microsoft Purview compliance portal stores customer-entered data in encrypted form in Azure Cosmos DB, a Platform as a Service (PaaS), globally-distributed, multi-model database. Azure Storage Service Encryption encrypts data stored in Azure Blob storage and in tables, and Azure Disk Encryption encrypts data in queues, as well as Windows and IaaS virtual machine disks to provide volume encryption for the operating system and the data disk. The solution ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage. Encryption at rest in Azure Cosmos DB is implemented by using several security technologies, including secure key storage systems, encrypted networks, and cryptographic APIs.

Azure Key Vault

Secure key management is not just core to encryption best practices; it's also essential for protecting data in the cloud. Azure Key Vault enables you to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). Azure Key Vault is Microsoft's recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users with Microsoft Entra accounts. Azure Key Vault relieves organizations of the need to configure, patch, and maintain HSMs and key management software. With Azure Key Vault, Microsoft never sees your keys and applications don't have direct access to them; you maintain control. You can also import or generate keys in HSMs. Organizations that have a subscription that includes Azure Information Protection can configure their Azure Information Protection tenant to use a customer-managed key Bring Your Own Key (BYOK)) and log its usage.