Azure Encryption at Rest

Introduction

 
In this article, you will learn about Azure Encryption. 
 

What Is Data Encryption?

 
Data encryption is a security process to encode your data and keep it safe from unwanted eyes. This process consists of input text, encryption algorithm, encryption key, and the output, encoded as follows:
  1. Input information, which may be any kind of data in plain text that you want to encrypt, or your encoded data if you want to decrypt it.
  2. The encryption key, that will be used to encrypt/decrypt your data. There are two types of encryption keys:

    • Symmetric, where you have only one key to encrypt and decrypt. 
    • Asymmetric, where you have one key to encrypt and another different key to decrypt.

  3. The encryption algorithm that's responsible for applies your encryption key in your input in order to encrypt/decrypt it. 
  4. The output, which is your encoded/decoded information.   

Why Encrypt Data?

 
Security. That's a straight-forward answer when we ask why we would encrypt our data, security is the main goal here. Plus, you also have some legal related reasons.
Without encrypting our data at rest, the information consumed by applications that are required to be stored, like passwords or credit card data, would-be completely exposed to anyone that could access it. So, encrypting it makes the data completely useless if you do not have the decryption key. 
 
Here are some types of data that are stored and should be encrypted:
  • Passwords;
  • Credit cards;
  • Bank Account data;
  • Navigation history;
  • Many, many more...

Encryption by Azure

 
Azure makes usages of two main components in order to have a guaranteed security process while encrypting or decrypting data, as follows:
  • Azure Active Directory, handling permissions to manage or access encryption keys stored in Azure Key Vault.
  • Azure Key Vault, storing, and also managing encryption keys.
Also, Azure make usage of two different key types:
  • Data Encryption Key ( DEK ) - used to encrypt/decrypt a partition or block of data. If this key is regenerated, the data needs to be re-encrypted with the new key.
  • Key Encryption Key ( KEK ) - used to encrypt/decrypt the Data Encryption Key. It is very useful. This key usage increases security as far as the KEK and DEK keys are stored in different locations and only services that access the KEK may decrypt the DEK in order to decrypt/encrypt the data.
  • Azure Key Vault documentation.
  • Azure Active Directory documentation.

Encryption Models supported by Azure

 
Azure support client-side encryption and three different models of server-side encryption, as follows:
 
Client-side Encryption
 
In this encryption model, Azure only stores the data and does not have any knowledge about the encryption key then Azure may not decrypt and read the data. So, the client holds the encryption key and is responsible for the encrypt and decrypt process.
Server-side Encryption
 
In this encryption model, Azure is responsible to encrypt and decrypt the data but the encryption key may be managed by Azure and also the customer. The client sends and receives the raw data and Azure is responsible for encryption and decryption.
 
We have three different encryption process, depending on how we manage the encryption keys, as follows:
  • Service-managed keys, being easier to set up and leaving total control to Azure regarding managing the encryption keys.
  • Using Azure Key Vault, where the key management is handled by Azure key vault leaving total control to the customer regarding managing the encryption keys.
  • Customer-controlled hardware, being the more complex to set up and leaving total control of the customer regarding managing the encryption keys.  
Server-side encryption with Service-Managed keys
 
This is the most simple way to encrypt your data-at-rest. All you need to do is to enable this functionality in your Azure service and Azure is going to handle all the encryption key management in order to store your encrypted data.
 
Azure Encryption At Rest
Server-side encryption with Azure Key Vault
 
With the Azure Key Vault encryption model, the customer controls the encryption keys in the Azure Key Vault and associate its keys with the Azure Services that are going to store the data. The encryption and decryption process is handled by the resource provider.

Azure Encryption At Rest
 
 
Server-side encryption with Customer-Controlled Hardware
 
This is the most complex encryption model to implement and also to do maintenance, besides the low performance due to the need for extra round trips in order to decrypt the data.
 
This encryption model requires the customer to develop his own service in order to provide the encryption keys when required to Azure Service. The customer also manages the encryption keys. So, when the client requests the encrypted data the Azure service will contact the customer service in order to retrieve the encryption key and after receiving the encryption key, the Azure service will decrypt the data and return it to the Client.
 
Azure Encryption At Rest
External References