none
BLOB encryption without application changes?

    Question

  • After a discussion on Twitter (via DM), they asked me to create this forum post. The discussion was:

    Looking into BLOB storage encryption, also called Storage Service Encryption (SSE), it's unclear to me if there are application changes needed to support this. And it looks like I'm not the only one (see: Tweet).

    If you read this article about SSE, it states that:

    "When the customer needs to access data (GET Blob, etc.), data is automatically decrypted before returning to the user."

    and

    "All encryption keys are stored, encrypted, and managed by Microsoft."

    So my question is:

    Is this encryption comparable to Transparent Data Encryption (TDE) for Azure SQL DB? TDE also encrypts the data at-rest (in this case the data- and log-files), without the need of application changes. The encryption keys and -certificates are managed by Microsoft, and there's no user-action needed. The data-access remains the same (no configuration changes or connectionstring changes needed), with or without TDE enabled.

    Does this work the same for SSE? So when I enable SSE on a storage account, can I access my BLOBS in the same (unchanged) way?


    Monday, August 07, 2017 12:26 PM

Answers

  • Q. Does this work the same for SSE? So, when I enable SSE on a storage account, can I access my BLOBS in the same (unchanged) way?

    Ans: You can access your blobs without any changes. The encryption, decryption, and key management are totally transparent to users. The state of data does not change with the user toggling between enabling/disabling encryption for the storage account.

             

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Monday, August 07, 2017 2:01 PM
    Moderator

All replies

  • Q. Does this work the same for SSE? So, when I enable SSE on a storage account, can I access my BLOBS in the same (unchanged) way?

    Ans: You can access your blobs without any changes. The encryption, decryption, and key management are totally transparent to users. The state of data does not change with the user toggling between enabling/disabling encryption for the storage account.

             

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Monday, August 07, 2017 2:01 PM
    Moderator
  • Thanks for your quick answer Vikranth!
    Tuesday, August 08, 2017 6:26 AM
  • When SSE is enabled, data is encrypted when it is written, and decrypted when it is read. You don't have to do anything for this to work.

    However, note that when you enable SSE, all data written AFTER that will be encyprted. If you already have data in the storage account, it doesn't go back and encrypt the existing data. You would have to copy that data to a different container, or a different name, so it is forced to write it again, and since SSE is encrypted, it would encrypt the data at that point. 

    Robin

    Sr. Content Developer, Azure Storage


    Sr. Content Developer at Microsoft

    Thursday, August 10, 2017 5:48 PM