When storing data in a database, a key question many organizations will need to know, especially when that data is being held with a public cloud provider such as Azure, is: How safe is my data?

Using encryption is a great way to protect data. Encryption protects your data in the event of other protection measures—such as networks, firewalls, or authentication controls— being circumvented. If a hacker were able to bypass other controls, they would not be able to read any encrypted data without the key used to encrypt it.

There are multiple areas where encryption can be used, including the following:

• Encryption in transit
• Encryption at rest
• Encryption in use

First, we will consider in-transit protection.

Encryption in transit

Encrypting data in transit means ensuring that when moving data from point A to point B, any interception of that traffic would not yield anything useful.

Azure SQL Database and Azure SQL Managed Instance both enforce the use of encrypted traffic when connecting to them from a client application. With an on-premises database, you would have to specifically configure this on the server and then configure your applications to use Encrypt=True in the connection string.

With Azure SQL, all this is done for you, and the Encrypt setting in the connection string is ignored—it is encrypted regardless of what this is set to.

Similarly, connections to Cosmos DB are also encrypted. However, communications to Cosmos DB are performed using the HyperText Transfer Protocol Secure (HTTPS) protocol, and—again—your Cosmos DB always has a certificate installed and configured.

Once your communications are secured, we must consider how to protect the data while stored on disk.

Encryption at rest

All storage in Azure is encrypted at rest. This means that any data you write to a storage account is automatically encrypted using an Azure managed key.

Azure SQL Database and Azure SQL Managed Instance use Transparent Data Encryption (TDE). This means that the data on the disk is encrypted without you having to configure anything, and it is invisible to your applications—in other words, your developers do not need to do anything to ensure data is encrypted or decrypted.

TDE protects your data in the unlikely event that a physical disk is stolen from an Azure data center. The keys used to manage the encryption are automatically rotated periodically for additional protection. For organizations that require more direct control over the encryption keys, there is also the option to use customer-managed keys (CMK). With CMK, you can store the keys used to perform the encryption in an Azure Key Vault; this ensures that nobody else, including Microsoft, has sight of, or can access, those keys.

Finally, we can employ application-level encryption.