Understanding the various encryption models and their pros and cons is essential for understanding how the various resource providers in Azure implement encryption at Rest. These definitions are shared across all resource providers in Azure to ensure a common language and taxonomy.
There are three scenarios for server-side encryption:
Server-side encryption using Service-Managed keys
o Azure Resource Providers perform the encryption and decryption operations
o Microsoft manages the keys
o Full cloud functionality
Server-side encryption using customer-managed keys in Azure Key Vault
o Azure Resource Providers perform the encryption and decryption operations
o Customer controls keys via Azure Key Vault
o Full cloud functionality
Server-side encryption using customer-managed keys on customer-controlled hardware
o Azure Resource Providers perform the encryption and decryption operations
o Customer controls keys on customer-controlled hardware
o Full cloud functionality
Server-side Encryption models refer to encryption that is performed by the Azure service. In that model, the Resource Provider performs the encrypt and decrypt operations. For example, Azure Storage may receive data in plain text operations and will perform the encryption and decryption internally. The Resource Provider might use encryption keys that are managed by Microsoft or by the customer depending on the provided configuration.
Each server-side encryption at rest model implies distinctive characteristics of key management. This includes where and how encryption keys are created and stored, as well as the access models and the key rotation procedures.
For client-side encryption, consider the following:
Azure services cannot see decrypted data
Customers manage and store keys on-premises (or in other secure stores). Keys are not available to Azure services
Reduced cloud functionality
The supported encryption models in Azure split into two main groups: "Client Encryption" and "Server-side Encryption" as mentioned previously. Independent of the encryption at rest model used, Azure services always recommend the use of a secure transport such as TLS or HTTPS. Therefore, transport protocol should address encryption in transport and not be a major factor in determining which encryption at rest model to use.
Client encryption model
Client Encryption model refers to encryption performed outside of the Resource Provider or Azure by the service or calling application. The encryption can be performed by the service application in Azure or by an application running in the customer data center. In either case, when leveraging this encryption model, the Azure Resource Provider receives an encrypted blob of data without the ability to decrypt the data in any way or have access to the encryption keys. In this model, the key management is done by the calling service/application and is opaque to the Azure service.
Server-side encryption using service-managed keys
For many customers, the essential requirement is to ensure that the data is encrypted whenever it is at rest. Server-side encryption using service-managed Keys enables this model by allowing customers to mark the specific resource (Storage Account, SQL DB, etc.) for encryption and leaving all key management aspects, such as key issuance, rotation, and backup, to Microsoft. Most Azure services that support encryption at rest typically support this model of offloading the management of the encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management.
Server-side encryption using service-managed keys therefore quickly addresses the need to have encryption at rest with low overhead to the customer. When available a customer typically opens the Azure portal for the target subscription and resource provider and checks a box indicating, they would like the data to be encrypted. In some Resource Managers server-side encryption with service-managed keys is on by default.
Server-side encryption with Microsoft-managed keys does imply the service has full access to store and manage the keys. While some customers may want to manage the keys because they feel they gain greater security, the cost and risk associated with a custom key storage solution should be considered when evaluating this model
Key access
When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. Typically, the foundational Azure resource providers will store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.
Advantages
Simple setup
Microsoft manages key rotation, backup, and redundancy
The customer does not have the cost associated with the implementation of the risk of a custom key management scheme.
Disadvantages
No customer control over the encryption keys (key specification, lifecycle, revocation, etc.)
No ability to segregate key management from the overall management model for the service
Server-side encryption using customer-managed keys in Azure Key Vault
For scenarios where the requirement is to encrypt the data at rest and control the encryption keys, customers can use server-side encryption using customer-managed Keys in Key Vault
Loss of key encryption keys means loss of data. For this reason, keys should not be deleted. Keys should be backed up whenever created or rotated. Soft-Delete and purge protection must be enabled on any vault storing key encryption keys to protect against accidental or malicious cryptographic erasure. Instead of deleting a key, it is recommended to set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in Azure Key Vault or Managed HSM.
Key Access
The server-side encryption model with customer-managed keys in Azure Key Vault involves the service accessing the keys to encrypt and decrypt as needed. Encryption at rest keys are made accessible to a service through an access control policy. This policy grants the service identity access to receive the key
For operations using encryption keys, a service identity can be granted access to any of the following operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, and restore.
To obtain a key for use in encrypting or decrypting data at rest, the service identity that the Resource Manager service instance will run as must have UnwrapKey (to get the key for decryption) and WrapKey (to insert a key into the key vault when creating a new key).
Advantages
Full control over the keys used – encryption keys are managed in the customer's Key Vault under the customer's control.
Ability to encrypt multiple services to one master
Can segregate key management from the overall management model for the service
Can define service and key location across regions
Disadvantages
The customer has full responsibility for key access management
The customer has full responsibility for key lifecycle management
Additional Setup & configuration overhead
Server-side encryption using customer-managed keys in Customer-controlled hardware
Some Azure services enable the Host Your Own Key (HYOK) key management model. This management mode is useful in scenarios where there is a need to encrypt the data at rest and manage the keys in a proprietary repository outside of Microsoft's control. The service must retrieve the key from an external site in this model. Performance and availability guarantees are impacted, and configuration is more complex
Key Access
When server-side encryption using service-managed keys in customer-controlled hardware is used, the keys are maintained on a system configured by the customer. Azure services that support this model provide a means of establishing a secure connection to a customer-supplied key store.
Advantages
Full control over the root key used – a customer-provided store manages encryption keys
Ability to encrypt multiple services to one master
Can segregate key management from the overall management model for the service
Can define service and key location across regions
Disadvantages
Full responsibility for key storage, security, performance, and availability
Full responsibility for key access management
Full responsibility for key lifecycle management
Significant setup, configuration, and ongoing maintenance costs
Increased dependency on network availability between the customer datacenter and Azure datacenters.
Comments