Azure App Services & Azure SQL Servers - Encryption at Rest

Rizwan Ansari 21 Reputation points
2020-12-15T14:57:12.43+00:00

Are all web application hosted with Azure App Services and also Azure SQL Servers encrypted at Rest? Do I have to do any special configuration?

Azure SQL Database
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,956 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. brtrach-MSFT 15,261 Reputation points Microsoft Employee
    2020-12-16T04:32:32.703+00:00

    @Rizwan Ansari Thank you for your question. I personally deal with Azure Web Apps so I can speak to that part of things. I would kindly request you to create a second question with just the azure-sql-database tag so an expert from the SQL team can assist you with that side of things.

    In regards to encryption at rest with Azure Web Apps, there is a two part answer.

    With an App Service Environment, you have the ability to turn on internal encryption. More on that can be found here.

    If you are talking about the multi-tenant web app product, there are a few points to share. Firstly, as of today, locally attached disks on App Service VMs are not encrypted at rest. From a developer perspective, that means anything within "D:\local" when logged into a Kudu console is not encrypted at rest. Overall, customer data is encrypted but devs are urged to be cautious as it's possible to write to D:\local disk, which would not be encrypted. Keep in mind that we are assuming that items like ASP.NET DLLs that are stored on the local drive but we assume developers are not following bad practices such as compiling encryption keys into their binaries. Note that custom container web apps are loaded onto a locally attached disk and it will not be encrypted at rest.

    There is work being done to offer encryption at rest as a feature in the future but there is nothing to share at this team regarding features or an ETA.

    If you are asking from a compliance perspective, you should consider an App Service Environment or see about requesting an exemption.

    If you are asking so that you can sleep better at night, I encourage you to review the Azure Security overview of our datacenters.

    Please let me know if you have any further questions about encryption at rest on App Services and I would be happy to answer them.

    0 comments
  2. brtrach-MSFT 15,261 Reputation points Microsoft Employee
    2023-12-19T20:11:02+00:00

    The below is the latest from the product group regarding this matter.

    For public multi-tenant App Service, it’s a bit complicated at the current point in time.  The simplified answer is if a customer is using Pv3 for their app service plans, or Pv3 is available for the customer to use (i.e. not grayed out in the portal SKU picker for App Service Plans), then the locally attached disks are encrypted at rest.  This isn’t the case for older public multi-tenant scale units – which in simplest terms are scale units where Pv3 is greyed out in the portal SKU picker for App Service Plans. All public multi-tenant scale units do encrypt the pagefile (regardless of whether the scale untis are “older” or “newer”). On App Service Environments, customers can explicitly force encryption-at-rest of local disks (regardless of the underlying architecture) with an ASE specific cluster setting:  https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption

    0 comments