Enable infrastructure encryption for double encryption of data

Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.

Infrastructure encryption can be enabled for the entire storage account, or for an encryption scope within an account. When infrastructure encryption is enabled for a storage account or an encryption scope, data is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys.

Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview). Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key. For more information about key management with Azure Storage encryption, see About encryption key management.

To doubly encrypt your data, you must first create a storage account or an encryption scope that is configured for infrastructure encryption. This article describes how to enable infrastructure encryption.

Register to use infrastructure encryption

To enable infrastructure encryption, you must first register to use this feature with Azure by using PowerShell or Azure CLI.

N/A

Create an account with infrastructure encryption enabled

To enable infrastructure encryption for a storage account, you must configure a storage account to use infrastructure encryption at the time that you create the account. Infrastructure encryption cannot be enabled or disabled after the account has been created. The storage account must be of type general-purpose v2.

To use PowerShell to create a storage account with infrastructure encryption enabled, follow these steps:

  1. In the Azure portal, navigate to the Storage accounts page.

  2. Choose the Add button to add a new general-purpose v2 storage account.

  3. On the Advanced tab, locate Infrastructure encryption, and select Enabled.

  4. Select Review + create to finish creating the storage account.

    Screenshot showing how to enable infrastructure encryption when creating account

To verify that infrastructure encryption is enabled for a storage account with the Azure portal, follow these steps:

  1. Navigate to your storage account in the Azure portal.

  2. Under Settings, choose Encryption.

    Screenshot showing how to verify that infrastructure encryption is enabled for account

Create an encryption scope with infrastructure encryption enabled

If infrastructure encryption is enabled for an account, then any encryption scope created on that account automatically uses infrastructure encryption. If infrastructure encryption is not enabled at the account level, then you have the option to enable it for an encryption scope at the time that you create the scope. The infrastructure encryption setting for an encryption scope cannot be changed after the scope is created. For more information, see Create an encryption scope.

Next steps