How to Encrypt Data in Azure: Simple Steps and Examples
To encrypt data in Azure, use
Azure Storage Service Encryption for automatic encryption of data at rest and Azure Key Vault to manage encryption keys securely. You can also encrypt data in transit using HTTPS protocols and client-side encryption libraries.Syntax
Azure provides encryption mainly through two services: Storage Service Encryption (SSE) and Azure Key Vault. SSE encrypts data automatically when stored, while Key Vault manages keys for encryption and decryption.
Example syntax to enable SSE on a storage account:
resource "azurerm_storage_account" "example" {name = "examplestorageacct"resource_group_name = azurerm_resource_group.example.namelocation = azurerm_resource_group.example.locationaccount_tier = "Standard"account_replication_type = "LRS"enable_https_traffic_only = trueblob_properties {delete_retention_policy {days = 7}}encryption {services {blob {enabled = true}}key_source = "Microsoft.Storage"}}
Here, key_source can be Microsoft.Storage for Microsoft-managed keys or Microsoft.KeyVault for customer-managed keys.
terraform
resource "azurerm_storage_account" "example" { name = "examplestorageacct" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" enable_https_traffic_only = true blob_properties { delete_retention_policy { days = 7 } } encryption { services { blob { enabled = true } } key_source = "Microsoft.Storage" } }
Example
This example shows how to create an Azure Storage Account with encryption enabled using Azure CLI and how to upload a file securely.
bash
az group create --name ExampleResourceGroup --location eastus az storage account create --name examplestorageacct --resource-group ExampleResourceGroup --location eastus --sku Standard_LRS --encryption-services blob # Upload a file securely az storage blob upload --account-name examplestorageacct --container-name mycontainer --name example.txt --file ./example.txt --auth-mode login
Output
Resource group 'ExampleResourceGroup' created.
Storage account 'examplestorageacct' created with encryption enabled.
Blob 'example.txt' uploaded successfully to container 'mycontainer'.
Common Pitfalls
Common mistakes when encrypting data in Azure include:
- Not enabling encryption on storage accounts, leaving data unprotected.
- Using Microsoft-managed keys when customer-managed keys are required for compliance.
- Failing to secure access to
Azure Key Vault, risking key exposure. - Ignoring encryption of data in transit by not enforcing HTTPS.
Always verify encryption settings and access policies.
terraform
## Wrong: Storage account without encryption resource "azurerm_storage_account" "wrong" { name = "wrongstorageacct" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" enable_https_traffic_only = true } ## Right: Storage account with encryption enabled resource "azurerm_storage_account" "right" { name = "rightstorageacct" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" enable_https_traffic_only = true encryption { services { blob { enabled = true } } key_source = "Microsoft.Storage" } }
Quick Reference
- Storage Service Encryption (SSE): Automatically encrypts data at rest.
- Azure Key Vault: Securely manage encryption keys and secrets.
- HTTPS: Encrypt data in transit.
- Customer-Managed Keys (CMK): Use your own keys stored in Key Vault for compliance.
- Enable Access Policies: Control who can use keys in Key Vault.
Key Takeaways
Always enable Storage Service Encryption to protect data at rest automatically.
Use Azure Key Vault to securely manage and control encryption keys.
Encrypt data in transit by enforcing HTTPS connections.
Choose customer-managed keys in Key Vault for greater control and compliance.
Regularly review access policies to prevent unauthorized key usage.