Basics of Azure Encryption
Start course

This course looks at how encryption works in Microsoft and Azure.

Learning Objectives

  • What encryption is and the types of encryption
  • What hashing is and how it differs from encryption
  • How Microsoft and Azure encrypt data

Intended Audience

  • Users looking to learn about encryption, hashing, and how Azure encrypts data
  • Users preparing for the SC-900 certification


  • A basic familiarity with Microsoft and Azure

Azure has a multitude of different encryption features that can be implemented depending on an organization's usage and needs, and supports a bunch of different encryption models. For example, Azure supports client-side encryption, server-side encryption, Azure Disk Encryption, Azure Storage Service Encryption, client-side encryption of Azure Blobs, Transparent Data Encryption, TLS encryption, and even more than that. While there are many options for encryption, I want to specifically focus on how Azure encrypts data. 

And with that in mind, there are three specific features that I would like to focus on: Azure Storage Service Encryption, Azure Disk encryption, and transparent data encryption. Starting off with Azure Storage Service Encryption, this protects your data while at rest by automatically encrypting data when persisted to the cloud. Specifically, it protects data in Azure Managed Disks, Azure Blob Storage, Azure Files, or Azure Queue Storage and decrypts it when it's received.

This data is encrypted using a 256-bit AES encryption and is enabled for all storage accounts. The data can also be encrypted in both server side and client side setups. To clarify, when running a client side encryption model, that process of encryption or decryption is performed outside of Azure and leaves it up to the organization to maintain control of encryption keys, while server side encryption is effectively the opposite where the service manages the encryption keys. But how does the service manage those encryption keys? 

Well, this is where Azure Key Vault comes into play. Azure Key Vault is a cloud service used to store and manage application secrets. While functionality varies based on a subscription tier, Azure Key Vault provides organizations the ability to control permissions and access logs of secrets held within the vault. Specifically, Azure Key Vault can be used for secrets management, key management, certificate management, and storing secrets backed by hardware security modules. When speaking of encryption however, with Azure Key Vault, we look to the key management features which allows for control of encryption keys used to encrypt your organization's data. With Azure Key Vault Fresh in our minds, we now move into Azure Disk Encryption.

Azure Disk Encryption protects windows and Linux virtual machines with full volume encryption. Depending on the type of the VM, the encryption process changes as Linux utilizes DM-Crypt for encryption of disks, while windows utilizes windows BitLocker. Regardless of the VM, these encryption keys can also be stored and managed within the Azure Key Vault. But finally, we come to Transparent Data Encryption. Transparent data encryption, otherwise known as TDE, is used to encrypt SQL Server, Azure SQL Database, and Azure Synapse Analytics data files. 

TDE encrypts and decrypt data and log files in real-time using a database encryption key. When encrypting a database file, the encryption is performed at the page level. This means that the pages are encrypted before they are written to the disk and then decrypted when received. TDE also enables cell level and column level symmetric encryption or even a feature known as Always Encrypted, which effectively provides a barrier between users who own and can view data and users who manage data but should not be able to view it. For more information on how Azure encrypts data, I have linked related documentation in the transcript for you to review.


About the Author
Learning Paths

Lee has spent most of his professional career learning as much as he could about PC hardware and software while working as a PC technician with Microsoft. Once covid hit, he moved into a customer training role with the goal to get as many people prepared for remote work as possible using Microsoft 365. Being both Microsoft 365 certified and a self-proclaimed Microsoft Teams expert, Lee continues to expand his knowledge by working through the wide range of Microsoft certifications.