问题
I have premium storage account for which I enabled Encryption just after creating this and I found this link https://docs.microsoft.com/en-us/azure/storage/storage-service-encryption to check whether blob are encrypted or not.
Now if I encrypt OS disk and data disk using Azure key vault which is also used to protect data at rest but encrypted storage account also does same thing. Could any one explain what difference among these two. I know about keys, secrets etc. so I don't want this diff.
回答1:
They are different levels of service. You can use encryption for the data in transit or for the data written to Azure Storage using SSE. You can keep your sensitive storage access keys in Azure Key Vault.
Azure Key Vault is an Azure service to help you encrypt and keep keys and secrets, including storage account keys, data encryption keys, .PXF files, etc. It’s a great way to maintain keys and grant permissions to these keys in minutes.
From an Azure Storage Security perspective, you can put your storage account keys into Azure Key Vault and service them from here to your clients and applications. That will help your applications retrieve access keys directly from Vault. When you regenerate your primary or secondary storage key in Vault, applications will retrieve updated keys without redeploying them. Please refer to What is Azure Key Vault?.
Storage Service Encryption (SSE) allows you to request that the storage service automatically encrypt the data when writing it to Azure Storage. When you read the data from Azure Storage, it will be decrypted by the storage service before being returned. This enables you to secure your data without having to modify code or add code to any applications. Now, keys are managed by Microsoft, you could not use your keys and manage keys.SSE only supports ARM mode storage account. You can check Azure storage security guide here. Many encryption technology is optional, make appropriate choice based on your organizations compliance needs.
来源:https://stackoverflow.com/questions/43440714/azure-key-vault-vs-storage-encryption