Encryption at Rest

Learn what encryption is at rest, how it is used in Cosmos DB, and how to use custom encryption keys.

We'll cover the following

Introduction

Encryption is the process of encoding information, usually through a key. Encoding makes information unreadable by those who don’t possess the decryption key. Encryption at rest is securing the data when it’s resting in a storage device. In case attackers get access to the server storage, they cannot extract meaningful information from it.

Default behaviour

In Cosmos DB, there are two storage device types:

  • SSDs: These are used as the main storage.

  • HDD: These are used for backups.

On both types, encryption is enabled by default at no extra cost. The primary encryption keys are called services-managed keys (SMKs) and are managed internally by Microsoft following the highest standards.

Note: We can’t disable encryption at rest.

Let’s see briefly how it works when we want to store a document:

  • We connect through a secure connection.

  • The document is parsed and indexed.

  • Both the document and index are encrypted and stored with the SMKs.

Customer-managed keys

We can provide a second layer of encryption over the default by providing our customer-managed keys (CMKs). While we have no control over SMKs, we have control over CMKs, which we must create, maintain, and store. The only supported storage is Azure Key Vault.

Remember: We have to specify the CMK when we create an account.

Creating a key

First, we must create a new key vault instance and protect soft deleted keys from purging.

Get hands-on with 1200+ tech skills courses.