You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-netapp-files/double-encryption-at-rest.md
+4-3Lines changed: 4 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,21 +5,21 @@ services: azure-netapp-files
5
5
author: b-hchen
6
6
ms.service: azure-netapp-files
7
7
ms.topic: concept-article
8
-
ms.date: 09/05/2024
8
+
ms.date: 05/05/2025
9
9
ms.author: anfdocs
10
10
ms.custom: references_regions
11
11
---
12
12
# Azure NetApp Files double encryption at rest
13
13
14
-
By default, Azure NetApp Files capacity pools use single encryption at rest. When you [create a capacity pool](azure-netapp-files-set-up-capacity-pool.md#encryption_type), you have the option to use double encryption at rest for the volumes in the capacity pool. You can do so by selecting `double` as the **encryption type** for the capacity pool that you are creating.
14
+
By default, Azure NetApp Files capacity pools use single encryption at rest. When you [create a capacity pool](azure-netapp-files-set-up-capacity-pool.md#encryption_type), you have the option to use double encryption at rest for the volumes in the capacity pool. You can do so by selecting `double` as the **encryption type** for the capacity pool that you're creating.
15
15
16
16
Critical data is often found in places such as financial institutions, military users, business customer data, government records, health care medical records, and so on. While single encryption at rest may be considered sufficient for some data, you should use double encryption at rest for data where a breach of confidentiality would be catastrophic. Leaks of information such as customer sensitive data, names, addresses, and government identification can result in extremely high liability, and it can be mitigated by having data confidentiality protected by double encryption at rest.
17
17
18
18
When data is transported over networks, additional encryption such as Transport Layer Security (TLS) can help to protect the transit of data. But once the data has arrived, protection of that data at rest helps to address the vulnerability. Using Azure NetApp Files double encryption at rest complements the security that’s inherent with the physically secure cloud storage in Azure data centers.
19
19
20
20
Azure NetApp Files double encryption at rest provides two levels of encryption protection: both a hardware-based encryption layer (encrypted SSD drives) and a software-encryption layer. The hardware-based encryption layer resides at the physical storage level, using FIPS 140-2 certified drives. The software-based encryption layer is at the volume level completing the second level of encryption protection.
21
21
22
-
If you are using this feature for the first time, you need to create a double-encryption capacity pool. For details, see [Create a capacity pool for Azure NetApp Files](azure-netapp-files-set-up-capacity-pool.md).
22
+
If you're using this feature for the first time, you need to create a double-encryption capacity pool. For details, see [Create a capacity pool for Azure NetApp Files](azure-netapp-files-set-up-capacity-pool.md).
23
23
24
24
When you create a volume in a double-encryption capacity pool, the default key management (the **Encryption key source** field) is `Microsoft Managed Key`, and the other choice is `Customer Managed Key`. Using customer-managed keys requires additional preparation of an Azure Key Vault and other details. For more information about using volume encryption with customer managed keys, see [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md).
25
25
@@ -77,6 +77,7 @@ Azure NetApp Files double encryption at rest is supported for the following regi
77
77
* You can't convert volumes in a single-encryption capacity pool to use double encryption at rest. However, you can copy data in a single-encryption volume to a volume created in a capacity pool that is configured with double encryption.
78
78
* For capacity pools created with double encryption at rest, volume names in the capacity pool are visible only to volume owners for maximum security.
79
79
* Using double encryption at rest might have performance impacts based on the workload type and frequency. The performance impact can be a minimal 1-2%, depending on the workload profile.
80
+
* When [creating](/cli/azure/netappfiles/pool#az-netappfiles-pool-create) or [updating](/cli/azure/netappfiles/pool#az-netappfiles-pool-update) a capacity pool with the CLI, set the `--encryption-type` to `double` to enable double encryption.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments