iCompaas Support

Profile Applicability:
 Level 2

Description:
 Infrastructure encryption provides an additional, second layer of encryption for backup data stored in Azure Recovery Services Vaults. This feature encrypts data at rest twice—first by service encryption and then by infrastructure encryption—offering enhanced protection against threats targeting encryption layers or hardware vulnerabilities.

Rationale:
 Enabling infrastructure encryption strengthens data security by adding defense in depth, ensuring that backup data is doubly encrypted. This helps meet rigorous compliance and regulatory requirements and provides greater assurance for sensitive and critical backup data confidentiality and integrity.

Impact:

• Pros:
  

  • Provides enhanced protection with double encryption at rest.
    

  • Meets stringent compliance and audit requirements.
    

  • Protects against potential hardware or software vulnerabilities affecting encryption.
    

• Cons:
  

  • May cause a slight performance impact on backup and restore operations.
    

  • Only available in supported regions and vault types; verify compatibility.
    

Default Value:
 Infrastructure encryption is disabled by default and must be explicitly enabled on Recovery Services Vaults.

Pre-requisites:

• Recovery Services Vault configured for backups.
  

• Permissions to modify vault encryption settings.
  

Remediation

Test Plan:

Using Azure Portal:

1. Log in to https://portal.azure.com.
   

2. Navigate to Recovery Services Vaults and select the target vault.
   

3. Under Properties or Encryption settings, verify if Use infrastructure encryption for this vault is enabled.
   

Using Azure CLI:

1. Check infrastructure encryption status:

az backup vault show --name <vault-name> --resource-group <resource-group> --query properties.encryptionSettings.infrastructureEncryptionEnabled

2. Confirm the returned value is true.

Implementation Plan

Using Azure Portal:

1. In the vault’s Encryption settings, enable Use infrastructure encryption for this vault.
   

2. Save changes and validate the setting.
   

Using Azure CLI:

1. Enable infrastructure encryption on the vault:

az backup vault encryption enable --vault-name <vault-name> --resource-group <resource-group> --infrastructure-encryption-enabled true

2. Confirm the update by retrieving vault properties.

Backout Plan

Using Azure Portal:

1. Disable infrastructure encryption by unchecking the feature in vault settings if required.
   

2. Evaluate any security or compliance implications.
   

Using Azure CLI:

1. Disable infrastructure encryption:

az backup vault encryption enable --vault-name <vault-name> --resource-group <resource-group> --infrastructure-encryption-enabled false

References:

• Azure Backup Infrastructure Encryption
  

• Manage Encryption for Recovery Services Vault