Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Azure Introduces Storage Service Encryption for Managed Disks with No Additional Cost

  • June 19, 2017
  • 5 min read
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.

As we referenced several times, security is one of the main topics for cloud providers looking to guarantee privacy for their customers’ data and information. Microsoft just announced the public availability for Storage Service Encryption (SSE) for Azure Managed Disks, with no additional cost.

Azure Storage Service Encryption

Azure Managed Disks were introduced by Microsoft some while back to facilitate the storage administration for Azure admins. Previously, admins had to create storage accounts to hold the disks (VHD files) for your Azure VMs. As new VMs and/or new disks were being added, the admin had to make sure you created additional storage accounts so you didn’t exceed the IOPS limit for storage with any of your disks. With Managed Disks, the storage account limits do not apply anymore (such as 20,000 IOPS / account).

Storage Service Encryption (SSE) enables encryption-at-rest, automatically encrypts data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users. All data is encrypted using 256-bit AES encryption.

Storage Account Encryption window

SSE can be used for Azure Blob Storage and File Storage. It works for the following:

  • Standard Storage: General purpose storage accounts for Blobs and File Storage and Blob Storage accounts
  • Premium storage
  • All redundancy levels (LRS, ZRS, GRS, RA-GRS)
  • Azure Resource Manager storage accounts (but not classic)
  • All regions.

Storage Service Encryption has some limitations to consider, to name a few: Encryption of classic storage accounts is not supported; SSE only encrypts new data (encrypting existing data will be available in the near future); table and queues data will not be encrypted.

Azure Storage service encryption window

The keys used by SSE are fully managed by Microsoft, for the moment it’s not supported the scenario where customers use their own keys for encryption but it could be available as an upcoming feature.

It is also important to note that Storage Service Encryption it’s not the same as Azure Disk Encryption, the latter is used to encrypt OS and data disks within the Azure VMs, while SSE encrypts data in Azure Blob Storage.

Found Augusto’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!