Cloud Computing

Microsoft Azure: Enable Encryption for Data at Rest

In today’s Ask the Admin, I’ll show you how to enable encryption for blob storage in Microsoft Azure.

Microsoft announced the availability of Storage Service Encryption (SSE) in September 2016. This service allows you to add 256-bit AES encryption to new or existing storage accounts. Azure encrypts and decrypts data transparently to users and applications, as well as managing the service keys for you. Microsoft is also working on an option that will allow you to manage the service keys yourself.


Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.


Data is encrypted as it is written or rewritten to disk. This means that if you want to encrypt an entire blob, encryption needs to be enabled from the get go. Microsoft claims that the performance hit associated with SSE is inconsequential. Additionally, SSE is only supported for Azure Resource Manager (ARM) storage and blob storage accounts (i.e., those created using the new management portal or ARM PowerShell cmdlets).

SSE is available for blob storage in all regions. SSE for Azure File Service is available in preview. At the time of writing this article, SSE for Azure File Service can only be enabled for newly created ARM storage accounts in East US, East US2, Central US, North Central US, South Central US, West Central US, West US, West US2, East Asia, North Europe, West Europe, Australia East, and Australia Southeast regions. For more details on Azure storage accounts, see Understanding Azure Storage: Managed Disks and Storage Accounts on the Petri IT Knowledgebase.

Enable Encryption for Blob Storage

Before enabling encryption, you’ll need at least one storage account. For more information on creating storage accounts, see Create an Azure Premium Storage Account on Petri. For the purposes of this demonstration, a standard tier storage account can be used.

  • Log into the Azure management portal.
  • Click More services at the bottom of the panel on the left of the management portal window.
  • Type storage in the box at the top of the new panel, and then click Storage accounts in the results.
  • Click your storage account in the Storage accounts pane.
  • On the Storage account panel, click Encryption under BLOB SERVICE.
  • Toggle the Storage service encryption switch to Enabled, and then click Save at the top of the panel.
Enable Storage Service Encryption (SSE) in Azure (Image Credit: Russell Smith)
Enable Storage Service Encryption (SSE) in Azure (Image Credit: Russell Smith)

Azure will take a few moments to update the encryption settings for the storage account. If encryption is later disabled, new writes will not be encrypted. Keep in mind, existing data remains encrypted unless it gets rewritten to disk.

In this article, I showed you how to enable encryption in Azure for data at rest.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Download this eBook!

External Sharing and Guest User Access in Microsoft 365 and Teams

his eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure. The eBook will also outline some of the major decision points across four general-purpose guest access policy scenarios for how an organization can set this up with standard licensing.

Download Now

Sponsored By