Microsoft Outlines OneDrive for Business Data at Rest Encryption, OneDrive Support Coming Soon

Microsoft lifted the curtain a bit today on how Microsoft OneDrive for Business and SharePoint Online handle data encryption. A post by ’SharePoint Team’ on the official Microsoft Office blog detailed how OneDrive for Business data is encrypted at rest and in flight.

‘…when your data is in transit, it is encrypted as data moves between you and the datacenter and between the server and the datacenter, which uses 2048 bit keys. However, the encryption technology applies not only when the data is moving between servers or datacenters, but also when the data is at rest.”

OneDrive for Business Disk Encryption and File Encryption

The Microsoft post revealed that BitLocker is used for data security at the disk level, but at the file layer each file is given a key that is Federal Information Processing Standard (FIPS) 140-2 compliant and uses 256-bit keys via the Advanced Encryption Standard (AES-256).

Microsoft has produced a video that goes into additional detail about what security methods it uses for data-at-rest for SharePoint Online and OneDrive for Business, and I’ve embedded that video below.

What about data encryption for OneDrive?

One thing that isn’t immediately clear when reading through the aforementioned blog post is whether those encryption features are included with the standard (consumer) version of OneDrive. A Microsoft blog post in July 2014 by Matt Thomlinson, the VP of trustworthy computing security, did state that OneDrive supported Perfect Forward Secrecy (PFS) encryption.

“OneDrive customers now automatically get forward secrecy when accessing OneDrive through onedrive.live.com, our mobile OneDrive application and our sync clients,” Tomlinson wrote. “As with Outlook.com’s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.”

I reached out to some Microsoft PR representatives earlier today to find out if OneDrive had the same level of data at rest encryption, and a spokesperson told me “We have rolled out encryption at rest for OneDrive for Business and are working on it for OneDrive.” So expect to see data-at-rest encryption support for normal OneDrive in the near future. When that happens I’ll update this post to reflect the latest official information.

So are you currently using Microsoft OneDrive for Business? I’d love to hear what you think about Microsoft’s OneDrive security efforts, so please add a comment to this blog post, or contact me on Twitter or Google+. You can also catch up on my posts in the Petri IT Knowledgebase forums.