Link Search Menu Expand Document
×
Topics

Missing Server Side Encryption in Azure

Play SecureFlag Play Azure Labs on this vulnerability with SecureFlag!

Storage

Azure Storage is Microsoft’s cloud storage solution for modern data storage scenarios. It offers a variety of storage services like Azure Blob storage, Azure Data Lake Storage, Azure Files, Azure Queue, and Azure Table storage. One of the core security features of Azure Storage is its capability to encrypt and decrypt data transparently using 256-bit AES encryption.

SSE

By default, Azure Storage encrypts data at rest using SSE. The encryption and decryption are transparent. The user requires no additional action.

Key Management

By default, Azure uses Microsoft Managed Keys for encryption. This means Microsoft handles the lifecycle, protection, and durability of these keys.

Azure Storage supports Customer-Managed Keys (CMK) for organizations requiring more control over their encryption keys. This gives the customers full control over the key management lifecycle, auditing, rotating, importing, and generating new keys as needed.

Customers are also capable of providing their own encryption keys, known as Customer-Provided Keys (CPK). Unlike Customer Managed Keys (CMK), which reside in Azure Key Vault, with CPK, you send the key with each request to the storage service.

Double encryption With Infrastructure Encryption

Azure introduced a “Double Encryption” capability that uses Azure Storage Service Encryption (SSE) and Infrastructure Encryption for added protection. Data is encrypted twice - first at the application layer and then again at the infrastructure layer.

resource "azurerm_storage_account" "example" {
  name                     = "example"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  infrastructure_encryption_enabled = true
}

The infrastructure_encryption_enabled = true line enables infrastructure encryption for the storage account, providing the second layer of encryption on top of Azure’s default Storage Service Encryption.