Description:
Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.
Rationale:
Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.
Impact:
The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage.
Audit:
From Azure Portal
1. From Azure Portal select the portal menu in the top left.
2. Select Storage Accounts.
3. Click on each storage account within each resource group you wish to audit.
4. In the overview, under Security, ensure Infrastructure encryption is set to
Enabled.
From Azure CLI
az storage blob show \
--account-name <storage-account> \
--container-name <container> \
--name <blob> \
--query "properties.serverEncrypted"
From PowerShell
$account = Get-AzStorageAccount -ResourceGroupName <resource-group> `
-Name <storage-account>
$blob = Get-AzStorageBlob -Context $account.Context `
-Container <container> `
-Blob <blob>
$blob.ICloudBlob.Properties.IsServerEncrypted
Remediation:
From Azure Portal
1. During Storage Account creation, in the Encryption tab, check the box next to
Enable infrastructure encryption.
From Azure CLI
Replace the information within <> with appropriate values:
az storage account create \
--name <storage-account> \
--resource-group <resource-group> \
--location <location> \
--sku Standard_RAGRS \
--kind StorageV2 \
--require-infrastructure-encryption
From PowerShell
Replace the information within <> with appropriate values:
New-AzStorageAccount -ResourceGroupName <resource_group> `
-AccountName <storage-account> `
-Location <location> `
-SkuName "Standard_RAGRS" `
-Kind StorageV2 `
-RequireInfrastructureEncryption
Enabling Infrastructure Encryption after Storage Account Creation
If infrastructure encryption was not enabled on blob storage creation, there is no official
way to enable it. Please see the additional information section.
Default Value:
By default, Infrastructure Encryption is disabled in blob creation.
References:
1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-encryptionstatus
2. https://docs.microsoft.com/en-us/azure/storage/common/storage-serviceencryption
3. https://docs.microsoft.com/en-us/azure/storage/common/infrastructureencryption-enable