Existing blobs not being encrypted server side as documentation states they should RRS feed

  • Question

  • Per https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:


    Q: How do I encrypt the data in a Resource Manager storage account?

    A: Storage Service Encryption is enabled for all storage accounts--classic and Resource Manager, any existing files in the storage account created before encryption was enabled will retroactively get encrypted by a background encryption process.


    My understanding is that blobs in our storage accounts that are currently unencrypted will be encrypted automatically server side. However, I have found this not to be the case. I have examples of blobs that haven't been updated since 2014 where they still report false for 'SERVER ENCRYPTED'. Most of these are in classic storage accounts however one of these accounts I migrated to a Resource Manager storage account and the blobs within have still not been encrypted.

    Monday, July 9, 2018 3:53 PM

All replies

  • Data stored in the storage account prior to enabling the Storage Service Encryption will retroactively get encrypted. The data may not be immediately encrypted but the system background encryption process will encrypt the data, and it may take months for the process to encrypt the data.

    For more information:

    1. Storage Service Encryption (SSE), which is performed by the storage service. Storage service encryption (SSE) is enabled by default for all disks. SSE encrypts data at rest using keys managed by Microsoft. We are planning show the SSE encryption status soon in the portal.

    How can I find out if my disk is encrypted?

    You can find out the time when a disk was created from the Azure portal, the Azure CLI, and PowerShell. If the time is after June 9, 2017, then your disk is encrypted.

    2.Azure Disk Encryption, which you can enable on the OS and data disks for your VMs. encryption property is associated with Azure disk encryption which is another way of encrypting your disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. As you haven't enabled this encryption, your disks are shown as not encrypted. 

    Contact ssediscussions@microsoft.com  for any problems or feedback related to Storage Service Encryption.

    “If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    • Proposed as answer by vikranth s Monday, July 9, 2018 4:16 PM
    Monday, July 9, 2018 4:15 PM
  • Is there any timeline we can expect for this encryption other than "it may take months"? It has already been months and so far it hasn't happened.

    We have some files we would like to be encrypted at rest and I know we could probably do some work to rewrite files to trigger them to be encrypted but I don't want to go through all that effort if they will get encrypted automatically.

    Monday, July 9, 2018 7:38 PM
  • Our engineers are actively working on improving this feature. We appreciate your time and patience in this matter.

    • Edited by vikranth s Tuesday, July 10, 2018 1:55 PM
    Tuesday, July 10, 2018 1:54 PM