Encryption in Azure

Azure encrypts data at rest across all its storage services by default, and enforces TLS for data in transit between clients and Azure endpoints. Understanding what is automatic versus what requires configuration helps you know exactly what your security baseline is — and where you need to take additional steps for higher compliance requirements.

Encryption at rest

When data is written to disk in an Azure storage service, Azure encrypts it before it is persisted. This applies to Azure Blob Storage, Azure Files, Azure Queue Storage, Azure Table Storage, Azure SQL Database, Azure Cosmos DB, Azure Disk Storage, and every other managed storage service. The encryption happens transparently at the storage layer — your application reads and writes data as if it were unencrypted, and the service handles the encryption and decryption.

The algorithm used for data at rest is AES-256, which is the same standard used by most modern full-disk encryption tools and is approved for classified government data in many jurisdictions. The encryption is applied to the underlying storage blocks, which means even if someone physically removed the storage media from an Azure data centre, the data would be unreadable without the encryption keys.

This default encryption uses platform-managed keys: Microsoft generates, stores, rotates, and manages the keys in its own key infrastructure. You benefit from encryption without any configuration or ongoing maintenance.

Encryption in transit

Data in transit means data moving between your application and an Azure service endpoint, between Azure services in the same region, or between Azure regions. Azure uses Transport Layer Security (TLS) to protect this traffic.

For managed services — App Service, Azure SQL, Cosmos DB, Storage accounts, Azure Cache for Redis — the service endpoint enforces TLS. Connections over plain HTTP are either redirected to HTTPS or rejected, depending on the service and your configuration. You can configure a minimum TLS version (1.2 is the current recommended minimum) on most services to prevent clients from negotiating down to older, weaker versions.

For virtual machines running your own software (a self-hosted web server, a database on a VM, an API gateway you manage), you are responsible for configuring TLS. Azure provides the infrastructure but does not automatically place a TLS certificate in front of your application. In practice, most teams place an Azure Application Gateway or Azure Front Door in front of VM-based workloads and handle TLS termination there, using certificates managed through Azure Key Vault.

Internal traffic between Azure services in the same data centre is handled over Microsoft’s private network infrastructure and is not exposed to the public internet, even if you do not explicitly configure service endpoints or private endpoints. For sensitive data, however, using private endpoints keeps traffic off the public internet entirely and limits which networks can reach your services.

Key management options

Azure gives you three levels of control over encryption keys, each with different trade-offs between convenience and control.

Platform-managed keys (PMK)

Microsoft manages the keys. They are stored in Microsoft’s key management infrastructure, rotated automatically, and you have no visibility into or control over them. This is the default for every Azure storage service and requires no action from you. It satisfies most security requirements and is appropriate for the vast majority of workloads.

Customer-managed keys (CMK)

You provide your own encryption keys, stored in Azure Key Vault. Azure services use these keys to encrypt your data, but the keys themselves live under your control. You can rotate them on your schedule, restrict access to the Key Vault, and audit every use of the keys. The trade-off is operational responsibility: if your Key Vault becomes inaccessible (deleted, misconfigured access policies, expired credentials), the encrypted data becomes inaccessible too. See Customer Managed Keys for the full detail on this option.

Customer-provided keys (CPK)

For Azure Blob Storage specifically, you can supply an encryption key on each individual API request. Azure uses the key to encrypt or decrypt that request’s data and then discards it — the key is never stored in Azure. This gives maximum control but means your application must manage and supply the key for every read and write. It is rarely used outside of highly specialised compliance scenarios.

What is automatic vs what requires configuration

The following table shows the encryption defaults for the most common Azure services and what additional steps you would take for stricter compliance requirements.

ServiceAutomatic (default)What you configure for higher compliance
Azure Blob / File StorageAES-256 at rest with platform-managed keys. HTTPS enforced by default setting (configurable).Enable customer-managed keys via Key Vault. Enable “require secure transfer” if not already on. Use private endpoints to remove public access. Enable double encryption (infrastructure encryption layer).
Azure SQL DatabaseTransparent Data Encryption (TDE) enabled by default using service-managed keys. TLS enforced on all connections.Switch TDE protector to a customer-managed key in Key Vault. Enable Always Encrypted for column-level encryption (data encrypted before it leaves the client). Enable Ledger for tamper-evident audit tables.
Azure Cosmos DBAES-256 at rest with service-managed keys. TLS on all connections.Enable customer-managed keys at account creation (cannot be added to an existing account). Use private endpoints. Enable analytical store encryption if using the analytical store.
Azure Virtual Machine DisksOS and data disks encrypted at rest using platform-managed keys (Server-Side Encryption, SSE).Enable Azure Disk Encryption (ADE) to add BitLocker (Windows) or dm-crypt (Linux) encryption at the VM OS level, in addition to SSE. Use customer-managed keys for SSE. Enable double encryption (SSE + infrastructure layer).
Azure Key VaultAll secrets, keys, and certificates encrypted at rest. TLS enforced. Standard tier uses software-protected keys.Use Premium tier for HSM-backed keys (FIPS 140-2 Level 2). Use Managed HSM for FIPS 140-2 Level 3 with single-tenant hardware. Enable purge protection to prevent permanent deletion during retention period.

Double encryption

Double encryption, also called infrastructure encryption, adds a second layer of AES-256 encryption at the infrastructure level beneath the service-level encryption. The data is encrypted twice with two independent encryption implementations and two sets of keys. This is available for Azure Storage accounts and Azure Managed Disks.

Double encryption exists to satisfy specific compliance requirements that mandate multiple independent encryption layers, or to provide protection in the theoretically unlikely scenario that one encryption implementation is compromised. For most organisations, single-layer AES-256 encryption is more than sufficient. Enable double encryption when a specific compliance framework or your security team’s policy requires it — not as a general default.

You enable it at account or disk creation time:

# Create a storage account with infrastructure encryption (double encryption)
az storage account create \
  --name mystorageaccount \
  --resource-group my-rg \
  --location eastus \
  --sku Standard_LRS \
  --require-infrastructure-encryption true

Azure Disk Encryption for virtual machines

Virtual machine disks in Azure are encrypted at rest by default at the storage layer (Server-Side Encryption). Azure Disk Encryption (ADE) adds a second, different layer: it uses BitLocker on Windows VMs and dm-crypt on Linux VMs to encrypt the disk at the operating system level. This means the disk is encrypted before data even reaches the storage layer.

ADE is typically required for compliance frameworks that specify the disk must be encrypted at the volume level (as opposed to storage-layer encryption), or when you are moving disk images between environments and want to ensure the disk is protected regardless of what storage it lands on. ADE uses keys stored in Key Vault.

# Enable Azure Disk Encryption on a Windows VM
az vm encryption enable \
  --resource-group my-rg \
  --name my-windows-vm \
  --disk-encryption-keyvault my-vault \
  --volume-type All

Enabling ADE on a running VM requires a reboot. Plan for maintenance windows. Also ensure your Key Vault is in the same region as the VM and that the VM’s managed identity (or service principal) has Key Vault access before enabling encryption.

Encryption and compliance

For most compliance frameworks, default Azure encryption satisfies the encryption-at-rest and encryption-in-transit requirements. PCI DSS requires AES-128 or stronger at rest (Azure’s AES-256 qualifies) and TLS 1.2 or stronger in transit (configurable on all Azure services). HIPAA requires encryption of Protected Health Information at rest and in transit (Azure’s defaults qualify). ISO 27001 requires appropriate encryption without mandating a specific algorithm.

Where frameworks differ is on key management. Some frameworks require you to maintain control of your own encryption keys — this is when customer-managed keys become a compliance requirement rather than an optional enhancement. Before implementing CMKs purely for compliance reasons, confirm that your specific framework actually requires customer control of keys, because PMK often satisfies the technical requirement with far less operational complexity.

Common misconceptions

  1. Assuming encryption alone prevents data breaches. Encryption at rest protects against physical media theft. It does not protect against an authenticated user or application with valid credentials reading data they should not. Access control via Azure RBAC and the principle of least privilege does that job.
  2. Conflating encryption in transit with network isolation. TLS encrypts the content of traffic but does not prevent a publicly-accessible service from being reached. Use private endpoints and network restrictions in addition to TLS for services that should not be reachable from the public internet.
  3. Enabling customer-managed keys without testing Key Vault access. If the managed identity that Azure uses to read your CMK loses access to Key Vault — because a role assignment was removed, because the vault was soft-deleted, because a network restriction changed — the service will stop being able to decrypt data. Test the access chain thoroughly before enabling CMKs in production.

Frequently asked questions

Is data in Azure encrypted by default, or do I need to configure it?

All data stored in Azure services is encrypted at rest by default using platform-managed keys. You do not need to do anything to get baseline encryption. What requires additional configuration is using your own keys (customer-managed keys), enabling encryption at the VM disk level with Azure Disk Encryption, or enabling double encryption for higher compliance requirements.

What is the difference between platform-managed keys and customer-managed keys?

With platform-managed keys, Microsoft generates, stores, and rotates the encryption keys on your behalf — you get encryption with no operational overhead. With customer-managed keys, you bring your own keys stored in Azure Key Vault. You control key rotation, expiry, and access, but you are also responsible for ensuring those keys remain accessible. If you lose access to your Key Vault, you lose access to your encrypted data.

Does encrypting data in transit happen automatically, or do I need to configure TLS?

For communication between Azure services and from client to Azure service endpoints, TLS is enforced by default. However, for virtual machines you configure yourself (for example, a web server on an Azure VM), you are responsible for installing and configuring TLS certificates. Azure App Service, Azure Functions, and managed services handle TLS for you at the service layer.

Last verified: 19 March 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.