Check the encryption status of a blob

Every block blob, append blob, or page blob that was written to Azure Storage after October 20, 2017 is encrypted with Azure Storage encryption. Blobs created prior to this date continue to be encrypted by a background process.

This article shows how to determine whether a given blob has been encrypted.

Check a blob's encryption status

Use the Azure portal, PowerShell, or Azure CLI to determine whether a blob is encrypted without code.

To use the Azure portal to check whether a blob has been encrypted, follow these steps:

  1. In the Azure portal, navigate to your storage account.

  2. Select Containers to navigate to a list of containers in the account.

  3. Locate the blob and display its Overview tab.

  4. View the Server Encrypted property. If True, as shown in the following image, then the blob is encrypted. Notice that the blob's properties also include the date and time that the blob was created.

    Screenshot showing how to check Server Encrypted property in Azure portal

Force encryption of a blob

If a blob that was created prior to October 20, 2017 has not yet been encrypted by the background process, you can force encryption to occur immediately by downloading and re-uploading the blob. A simple way to do this is with AzCopy.

To download a blob to your local file system with AzCopy, use the following syntax:

azcopy copy 'https://<storage-account-name>.<blob or dfs><container-name>/<blob-path>' '<local-file-path>'

azcopy copy '' 'C:\temp\blob1.txt'

To re-upload the blob to Azure Storage with AzCopy, use the following syntax:

azcopy copy '<local-file-path>' 'https://<storage-account-name>.<blob or dfs><container-name>/<blob-name>'

azcopy copy 'C:\temp\blob1.txt' ''

For more information about using AzCopy to copy blob data, see Transfer data with AzCopy and Blob storage.

Next steps

Azure Storage encryption for data at rest