DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on • Updated on

Configure encryption for data at rest

Implement SQL Database Always Encrypted

  • Primary characteristics of SQL Database Always Encrypted:
    • Protects data at rest, in transit, and in use
    • Ensures that data is accessible from client applications and application servers only
  • Implement SQL Database Always Encrypted:
    • Use the Always Encrypted wizard in SSMS to create Always Encrypted keys:
      • Create a column master key
      • Create a column encryption key
    • Create a database table and encrypt columns
    • Create an application that inserts, selects, and displays data from the encrypted columns

Implement database encryption
Alt text of image

Implement SSE

  • Primary characteristics of Azure Storage Service Encryption:
    • Applies automatically to all Azure Storage accounts and cannot be disabled
    • Encrypts on write and decrypts on read
    • Supports all four storage services (Blob, Queue, Table, and Files)
    • Supports both storage performance tiers (Standard and Premium)
    • Supports both deployment models (Resource Manager and classic)
  • Configuring SSE:
    • By default, SSE uses platform-assigned keys
    • Customers have the option to use their own keys

Implement Azure Disk Encryption

  • Primary characteristics of Disk Encryption:
    • Uses BitLocker on Windows VMs and DM-Crypt on Linux VMs
    • Provides encryption of the operating system and data disks
    • Stores encryption keys in a customer-managed key vault
    • Requires granting the Azure platform access to the key vault
  • Implementing disk encryption:
    • Azure Resource Manager templates
    • PowerShell
    • Azure CLI

Alt text of image

Implement Azure Backup encryption

  • Primary characteristics of Azure Backup:
    • Supports Windows and Linux operating systems
    • Is capable of protecting on-premises and cloud-resident workloads
    • Allows for backup and recovery of files, folders, system state, and applications
  • Implementing Azure Backup encryption:
    • For on-premises workloads, encryption is based on a customer-provided passphrase
    • For Azure VMs, encryption uses SSE

Top comments (1)