Storage accounts should have infrastructure encryption
HIGH
Ensures storage accounts have infrastructure encryption (double encryption) enabled for enhanced data protection.
What does this mean?
Infrastructure encryption adds a second layer of encryption at the Azure infrastructure level, using a different encryption algorithm. This provides double encryption for storage data at rest.
Benefits of implementation
- Defense-in-depth with two independent encryption layers
- Protects against potential weaknesses in a single encryption algorithm
- Meets requirements for highly sensitive data
Drawbacks and considerations
- Can only be enabled at storage account creation time
- Cannot be added to existing storage accounts
- Minor performance overhead from double encryption
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Storage Security
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12