Which mode of operation is being used with AES-256?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: e7e05a67-3121-bbc2-7a46-637199104ea3
- Version Independent ID: 2802344c-0571-bdac-4755-580f75f404b0
- Content: Azure Storage Service Encryption for Data at Rest
- Content Source: articles/storage/common/storage-service-encryption.md
- Service: storage
- GitHub Login: @lakasa
- Microsoft Alias: lakasa
menewol
All 17 comments
@menewol Thanks for your feedback! We will investigate and update as appropriate.
MohitGargMSFT
on 3 Jul 2018
@menewol Can you clarify your question a bit more?
Data is Encrypted on Azure's end, and the encryption & decryption process is done by Azure when you retrieve or store data. It can be used with all current storage account types.
TravisCragg-MSFT
on 6 Jul 2018
Dear Travis,
Of course I can clarify!!!
As we all know, AES is symmetric Block-chiffre that supports different key-lengths (128/192/256 Bit). We also know the block size will never change, regarding the key length(AES always uses 128 bit blocks).
Nonetheless, to encrypt the blocks in AES, we won't use ECB Mode (as you will know we won't use this because of different security concerns).
So, studying your documentation, I can not figure out which "mode of operation" (that's the actual cryptographical term!!!!!) is being used with AES-256.
It would be very interesting to put a little more external research on this (just to clarify that YOU DO NOT USE ECB MODE WITH AES!!!! [I AM REALLY HOPING YOU DONT!!!!!])
(I don't know much about cryptography! Yet, modes of operation are somewhat understandable :) )
Best regards,
Wolfgang
menewol
on 6 Jul 2018
Hoping this was clear enough :P
Sorry for any improper spellings, as my native language is not english.
Best regards,
Wolfgang
menewol
on 6 Jul 2018
@menewol Azure handles 100% of encryption at rest, it is not something that you do yourself, nor can you configure how it is encrypted.
Are you adding another custom layer of encryption in addition to our default Encryption At Rest?
TravisCragg-MSFT
on 6 Jul 2018
Dear Travis,
I just want to know which mode of operation is being used in Azure SSE.
I am not adding any additional layer of encryption!
Which mode of operation are you using @Microsoft for Azure SSE?
This piece of information is part of public interest!
Best Regards,
Wolfgang
PS: If you want to know more about "modes of operation" you might want to look up:
https://en.m.wikipedia.org/wiki/Block_cipher_mode_of_operation
menewol
on 6 Jul 2018
@menewol It is possible that we do not publically state that information, but I will find what answer I can.
I will post any updates as soon as I am able.
TravisCragg-MSFT
on 6 Jul 2018
Dear Travis,
I would be very pleased to get further information regarding the use of operational modes in combination with AES-256!
I can not understand why @Microsoft is "publically disclosing" the algorithm being used - but isn't willing to, additionally, disclose the mode of operation.
There's plenty of attacks on different modes of operations regarding AES in general.
I just want to make sure you don't use a mode of operation which allows easy decryption without the correlating key! (Or some effort lower than the provided security by AES-256 & used mode of operation)
Please don't tell me @Microsoft does 'security by obscurity'!!!
Further on, thank you very much for your effort!
Please don't let me & the public crowd reading this down by not disclosing any further important cryptographic information!
Best Regards,
Wolfgang
menewol
on 6 Jul 2018
@menewol I am still following up to get an exact answer to your question, and I hope to have some information for you soon.
TravisCragg-MSFT
on 14 Jul 2018
Dear Travis,
Thank you very much for your effort!
The public & me will be glad to get these informations!
Awaiting your response!
Best Regards,
menewol
menewol
on 14 Jul 2018
Dear Travis,
I'm still waiting for a response. Hoping you didn't forget about this issue!
The public should know about this!
Best regards,
Menewol
menewol
on 26 Jul 2018
@menewol I have not forgotten about this, and I am doing what I can. Getting an official response to things like this can be time consuming.
TravisCragg-MSFT
on 26 Jul 2018
Dear Travis,
Thank you for your quick response, as well as your effort!
I'm really looking forward to some, reliable, cryptographic information :D
I guess we'll wait another 15 days to get some basic information regarding the crypto being used @MS Azure SSE :P
Best regards,
menewol
menewol
on 26 Jul 2018
@TravisCragg-MSFT, @Adam-Smith-MSFT , @lakasa
Are you guys all fine? haven't heard from you in a long time! I hope you are doing good!!! :O
Can i still expect any answers regarding my question?
menewol
on 25 Oct 2018
@menewol Just for clarification have referred to the suggestion mentioned in this links
https://pdfs.semanticscholar.org/8822/66e916ec18ea7022bfa149954a29593f7490.pdf https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
SumanthMarigowda-MSFT
on 26 Aug 2019
Hi, @menewol. This is answered in the Azure Disk Encryption (ADE) FAQ - What encryption method does Azure Disk Encryption use?: "On Windows, ADE uses the BitLocker AES256 encryption method (AES256WithDiffuser on versions prior to Windows Server 2012). On Linux, ADE uses the decrypt default of aes-xts-plain64 with a 256-bit volume master key." Thanks! #please-close
msmbaldwin
on 27 Aug 2019
@menewol: Actually, this is more relevant to your specific question about storage: Client-Side Encryption ... for Microsoft Azure Storage - Encryption Mechanism. "The storage client library uses AES in order to encrypt user data. Specifically, Cipher Block Chaining (CBC) mode with AES."
msmbaldwin
on 27 Aug 2019
Related issues
DeepPuddles
·
3Comments
monteledwards
·
3Comments
bityob
·
3Comments
JamesDLD
·
3Comments
mrdfuse
·
3Comments