Profile Applicability:

  • Level 2

Description:

Azure Data Box enables secure, large-scale offline data transfer to Azure. By default, it uses BitLocker encryption. Enabling double encryption adds an additional layer of encryption on top of BitLocker, providing enhanced security during physical data transport, especially in high-security or regulated environments.

Rationale:

Double encryption follows the defense-in-depth principle by layering cryptographic protections:

  • BitLocker secures data at rest on the Data Box.

  • A second layer encrypts the data with a different key, further reducing the risk of unauthorized data access.
     This added protection is essential for sensitive or regulated data during transport, where physical loss or theft of the device poses a security risk.

Impact:

Pros:

  • Enhances protection of sensitive data during transit.

  • Meets regulatory or internal policy requirements for multi-layered encryption.

  • Provides defense against potential compromise of BitLocker-only encryption.

Cons:

  • May increase the time required for data copy operations.

  • Adds complexity to the Data Box configuration process.

  • Incompatible with some legacy decryption or inspection tools.

Default Value:

Double encryption is disabled by default on Azure Data Box.

Pre-requisites:

  • The Azure subscription must have permissions to create Data Box jobs.

  • Ensure your environment is compliant with the minimum firmware and OS requirements for Data Box.

  • Only applicable to supported Data Box SKUs (not available for all device types).

Test Plan:

Using Azure Console:

  1. Log in to the Azure Portal.

  2. Navigate to Data Box > Select the job > Click on Job Details.

  3. Under Device details, confirm that Double encryption is marked as Enabled.

Using Azure Policy:

  1. Confirm that the following Azure Policy is assigned:

    • Policy Definition ID: c349d81b-9985-44ae-a8da-ff98d108ede8

    • Policy Name: Azure Data Box jobs should enable double encryption for data at rest on the device

Implementation Plan:

Using Azure Console:

  1. Log in to the Azure Portal.

  2. Go to Data Box and create a new job.

  3. During the Security step of the configuration, select Enable double encryption.

  4. Proceed with the rest of the job creation steps and submit the order.

Using Azure PowerShell (if supported):

  1. Install or import the Az.DataBox module.

Use:

Update-AzDataBoxJob -ResourceGroupName <ResourceGroupName> -Name <JobName> -DoubleEncryptionEnabled $true

Backout Plan:

Using Azure Console:

  1. Cancel the job before shipping, and recreate the job with Double Encryption disabled.

Using Azure PowerShell (if supported):

Delete the current job:

Remove-AzDataBoxJob -ResourceGroupName <ResourceGroupName> -Name <JobName>

  1. Recreate the job without double encryption enabled.

References: