Storage account - Infrastructure level encryption

Angela Calborean 71 Reputation points
2021-12-20T06:40:18.367+00:00

Hello,

I want to create a storage account and enable infrastructure encryption. From MS documentation is states that: "Infrastructure-level encryption **relies on Microsoft-managed keys and always uses a separate key.**" https://video2.skills-academy.com/en-us/azure/virtual-machines/disk-encryption

My question is: if I Microsoft-managed keys by default for server side encryption and also infrastructure encryption, will MS store these 2 keys in 2 different Microsoft key stores?

Regards,
Angela

Azure Storage Explorer
Azure Storage Explorer
An Azure tool that is used to manage cloud storage resources on Windows, macOS, and Linux.
240 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
590 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 44,906 Reputation points Microsoft Employee
    2021-12-20T09:26:35.213+00:00

    @Angela Calborean Yes absolutely, Customers who require high levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level. When infrastructure encryption is enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. Location is taken in the backend by Microsoft . Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.

    Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault. Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key.

    158810-image.png

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 158927-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.