iCompaas Support

Profile Applicability:
 Level 2

Description:
 Infrastructure encryption adds a second layer of encryption to data stored in Azure Backup Vaults, encrypting data twice at rest—first by the service encryption and then by infrastructure encryption. Enabling this feature enhances data protection beyond standard encryption, providing stronger security for sensitive backup data.

Rationale:
 By enabling infrastructure encryption, organizations reduce the risk of data exposure due to encryption key compromise or hardware vulnerabilities. This extra encryption layer helps meet stringent regulatory and compliance standards and provides defense in depth for backup data confidentiality and integrity.

Impact:

• Pros:
  

  • Provides enhanced encryption strength with double encryption at rest.
    

  • Helps satisfy advanced compliance and regulatory requirements.
    

  • Offers additional protection against potential hardware or software vulnerabilities.
    

• Cons:
  

  • May introduce a slight performance overhead during data write/read operations.
    

  • Supported only on certain vault types and regions; check compatibility.
    

Default Value:
 Infrastructure encryption is disabled by default and must be explicitly enabled on Backup Vaults.

Pre-requisites:

• Azure Recovery Services Vault configured for backups.
  

• Appropriate permissions to modify vault encryption settings.
  

Remediation

Test Plan:

Using Azure Portal:

1. Log in to https://portal.azure.com.
   

2. Navigate to Recovery Services Vaults and select the target vault.
   

3. Go to Properties or Encryption settings.
   

4. Verify that the option Use infrastructure encryption for this vault is enabled.
   

Using Azure CLI:

1. Retrieve vault encryption settings:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.encryptionSettings.infrastructureEncryptionEnabled

2. Confirm the returned value is true.

Implementation Plan

Using Azure Portal:

1. In the vault’s Encryption settings, enable Use infrastructure encryption for this vault.
   

2. Save changes and verify the setting is applied successfully.
   

Using Azure CLI:

1. Enable infrastructure encryption on the vault:

az backup vault encryption enable --vault-name <vault-name> --resource-group <resource-group> --infrastructure-encryption-enabled true

2. Confirm the change by checking the vault properties.

Backout Plan

Using Azure Portal:

1. Disable infrastructure encryption by unchecking the option in vault settings if needed.
   

2. Be aware this may reduce encryption strength for backup data.
   

Using Azure CLI:

1. Disable infrastructure encryption:

az backup vault encryption enable --vault-name <vault-name> --resource-group <resource-group> --infrastructure-encryption-enabled false

References:

• Azure Backup Infrastructure Encryption
  

• Manage Encryption for Recovery Services Vault