iCompaas Support

Description:

Infrastructure Encryption adds a second layer of encryption to Azure Storage accounts. It cannot be enabled on an existing storage account. To use this feature, a new storage account must be created with Infrastructure Encryption set to Enabled during creation.

Rationale:

Infrastructure Encryption provides an additional layer of protection by applying double encryption to all data stored in a storage account. Because it cannot be enabled after creation, ensuring new storage accounts have this feature turned on helps meet security and compliance requirements that require stronger encryption.

Impact:
Enabling infrastructure encryption requires creating a new storage account, since it cannot be turned on for existing accounts. This may involve migrating data and updating applications to use the new account, which can require additional time and planning.

Default Value:

Infrastructure encryption is disabled by default when a new storage account is created.

Pre-requisites:

• You must have permission to create a storage account (Owner, Contributor, or Storage Account Contributor).

• The region and storage settings must support infrastructure encryption.

• If replacing an existing account, you need a plan to move your data to the new 

One.

Test Plan:

1. Sign in to the Azure portal at https://portal.azure.com.

2. In the portal, search for Storage accounts. Select the storage account you want to check.

3. In the left-hand menu, select Encryption under Security + Networking.

4. Under Encryption, locate Infrastructure encryption and confirm it is enabled.

5. If it is Disabled, follow the implementation steps.

Implementation Steps:

1. Sign in to the Azure portal https://portal.azure.com

2. In the portal, search for Storage accounts and select Create to make a new storage account.

3. In the Encryption tab during creation, set Infrastructure encryption to Enabled.

4. Complete the creation of the new storage account.

5. Migrate your data from the old storage account to the new one using AzCopy, Storage Explorer, or another migration tool.

6. Update all applications or services to use the new storage account.

7. Delete the old storage account if it is no longer required.

Backout Plan:

1. Stop using the new storage account in your applications and services.

2. Copy all data from the new storage account back to the original storage account using AzCopy, Storage Explorer, or another migration tool.

3. Update connection strings or configuration settings so your applications point back to the original storage account.

4. Test your applications to ensure they function correctly with the original storage account.

5. If everything is working as expected, delete the new storage account to avoid additional costs.

Reference:

• https://learn.microsoft.com/azure/storage/common/storage-service-encryption

• https://learn.microsoft.com/azure/storage/common/infrastructure-encryption