Create a storage account with infrastructure encryption enabled for double encryption of data

Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level. When infrastructure encryption is enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. In this scenario, the additional layer of encryption continues to protect your data.

Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault or Key Vault Managed Hardware Security Model (HSM) (preview). Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key. For more information about key management with Azure Storage encryption, see About encryption key management.

To doubly encrypt your data, you must first create a storage account that is configured for infrastructure encryption. This article describes how to create a storage account that enables infrastructure encryption.

Register to use infrastructure encryption

To create a storage account that has infrastructure encryption enabled, you must first register to use this feature with Azure by using PowerShell or Azure CLI.

N/A

Create an account with infrastructure encryption enabled

You must configure a storage account to use infrastructure encryption at the time that you create the account. The storage account must be of type general-purpose v2.

Infrastructure encryption cannot be enabled or disabled after the account has been created.

To use PowerShell to create a storage account with infrastructure encryption enabled, follow these steps:

  1. In the Azure portal, navigate to the Storage accounts page.

  2. Choose the Add button to add a new general-purpose v2 storage account.

  3. On the Advanced tab, locate Infrastructure encryption, and select Enabled.

  4. Select Review + create to finish creating the storage account.

    Screenshot showing how to enable infrastructure encryption when creating account

Verify that infrastructure encryption is enabled

To verify that infrastructure encryption is enabled for a storage account with the Azure portal, follow these steps:

  1. Navigate to your storage account in the Azure portal.

  2. Under Settings, choose Encryption.

    Screenshot showing how to verify that infrastructure encryption is enabled for account

Next steps