Azure File encryption RRS feed

  • Question

  • general question related to the use of Azure File Share and encryption.

    Now as I understand it you can use azure file share to create a share that can be mapped to a windows server in azure or onprem that links to the storage account. 

    We are looking at mapping the file share to an onprem server in our main office.
    In reading Azure File Share I see that the file share is based on SMB 3.0. However what I can't clearly get an answer to is encryption SMB 3.0 seems to support encryption meaning files sent in or out of that share are done using encryption. What I don't understand is that encryption for data in transit is that something that needs to be turned on or is that simply native to the SMB 3.0 protocol?

    2.) Separately but related can please confirm that when you create a storage account certain templates like 'General  Purpose-V2' enabled encryption at rest for items in that storage account.
    Thursday, September 13, 2018 8:45 PM

All replies

  • The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB.

    Azure Files supports encryption via SMB 3.0 and with HTTPS when using the File REST API. When mounting outside of the Azure region the Azure file share is located in, such as on-premises or in another Azure region, SMB 3.0 with encryption is always required. SMB 2.1 does not support encryption, so by default connections are only allowed within the same region in Azure, but SMB 3.0 with encryption can be enforced by requiring secure transfer for the storage account.

    The "Secure transfer required" option enhances the security of your storage account by only allowing requests to the account from secure connections. For example, when you're calling REST APIs to access your storage account, you must connect by using HTTPS. "Secure transfer required" rejects requests that use HTTP.When you use the Azure Files service, any connection without encryption fails when "Secure transfer required" is enabled. This includes scenarios that use SMB 2.1, SMB 3.0 without encryption, and some versions of the Linux SMB client.

    To have a secure communication channel, you should always use HTTPS when calling the REST APIs or accessing objects in storage. Also, Shared Access Signatures, which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when using Shared Access Signatures, ensuring that anybody sending out links with SAS tokens will use the proper protocol.

    For more information, suggest you to Azure Storage security guide.

    Azure Storage Service Encryption for data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob, Queue, or Table storage, or Azure Files, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to users. All data written to the Azure storage platform is encrypted through 256-bit AES encryption, one of the strongest block ciphers available.

    Storage Service Encryption is enabled for all new and existing storage accounts and cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Storage Service Encryption.


    If this answer was helpful, click “Mark as Answer” or “Up-Vote”. To provide additional feedback on your forum experience, click here

    • Proposed as answer by VeeraGiri Babu Friday, September 14, 2018 5:05 AM
    Friday, September 14, 2018 5:04 AM
  • Checking in to see if the above response helped to answer your query. Let us know if there are still any additional issues we can help with.
    Tuesday, September 18, 2018 5:27 AM