Storage Service Encryption is the encryption provided by the Azure platform to encrypt data at rest. Any data before persisting it to Azure Blob, Azure Queues, Tables, Azure Files, or managed disks will be automatically encrypted by the Storage Service Encryption service. This will help developers build secure applications in the cloud, without the need to develop encryption algorithms and solutions to encrypt the data.
Another key point here is that the SSE encryption, encryption at rest, decryption, and key management processes are totally transparent to the end users. Azure uses 256-bit AES encryption to encrypt the data before persisting to Azure Storage. This is one of the strongest block ciphers available.
Some organizations prefer to bring their own encryption keys and handle the encryption due to compliance requirements. SSE supports customer-managed keys as well. Having support for customer-managed keys offers flexibility and control over the keys. Since you are managing the keys, you have the option to create, disable, audit, rotate, and define access controls. The key will be stored in Azure Key Vault and will be utilized by the Azure Storage service whenever the key is required.
Figure 6.12 shows how you can add your own keys to handle encryption.
FIGURE 6.12 Setting up customer-managed keys
As shown in Figure 6.12, you need to select an existing key vault or create a new key vault and a key to save the configuration. With that, we will move on to the next topic of discussion, Azure Files and File Sync.
Azure Files and File Sync
When we were discussing the storage service, we went through a quick introduction to Azure Files. You know that Azure Blob can be used to store unstructured data like your videos, binaries, text files, etc. However, you can also save these kinds of files in Azure Files. Since both of them can store the file types, let’s quickly compare the two options before we take a deep dive to Azure Files.
Azure Files vs. Azure Blobs
As both services support unstructured file storage, sometimes it’s difficult to decide when to use Azure Blobs and when to use Azure Files. Let’s take a minute to review the following points to understand the difference between Azure Files and Azure Blobs.
Azure Files This is ideal for applications that are using system APIs to share data between servers. Second, you want to store debugging and crash dumps that need to be accessed from multiple virtual machines.
Azure Blobs This is ideal for video streaming scenarios. It’s a good choice for rendering images in static websites. You want to access the data from anywhere.
From the aforementioned points, you can understand that though they support the storage of similar data types, the scenarios they are used in are different. Other key differences include the following:
- Azure Blobs uses a flat namespace that includes containers and objects. Azure Files uses directory objects as you have seen with our traditional file shares.
- Azure Blobs is accessed via containers, and Azure Files is accessed through file shares.
- Azure Blobs is accessed via an HTTP/HTTPS connection, and Azure Files is accessed via the SMB protocol when mounted to a virtual machine. NFS for Azure Files is available also and is in preview.
- Azure Blobs doesn’t need to be mounted and can be accessed directly from any client that supports HTTP calls. Azure Files needs to be mounted to virtual machines before working with the data. On a side note, you can still manage the files in Azure Files via tools like the Azure portal and Azure Storage Explorer without the need to mount it.
Well, it’s time to see how you can manage the file shares in Azure.
