Azure-functions-durable-extension: Question: Securing Sensitive Data in Azure Durable Functions

Created on 20 Nov 2019 · 5Comments · Source: Azure/azure-functions-durable-extension

Hello, it appears that the Durable Functions table storage (ie. History) contains JSON-serialized inputs/outputs passed to/from durable orchestrations and activities. If durable functions handle "sensitive" values, are there any provisions for encrypting the stored data, so that only the Azure function app can read the data? Or is this something that needs to be controlled through storage permissions alone, such that nobody except for the function app's identity has permission to access the storage?

question

Source

featuresnap

👍2

All 5 comments

Hi @featuresnap ,

Take a look at the Azure Storage encryption for data at rest docs. Hopefully it clarifies your questions about Azure Storage encryption options.

Thanks!

CarlosSardo on 20 Nov 2019

Thanks @CarlosSardo for this information. Would this protect Azure Function history contents from being viewed in plaintext in the Azure Portal or via Storage Explorer?

featuresnap on 20 Nov 2019

You'd still be able to view the contents in plain text, as long as you have normal access to the storage account.

As far as I'm aware, there's no built-in option in the underlying serializer (used by Durable Functions) to encrypt parameter data before being persisted in storage.

CarlosSardo on 21 Nov 2019

Thanks @CarlosSardo makes sense. Our MS rep also confirmed that it would be best to focus on strong controls around access to storage accounts used by durable functions, and possibly supplement with custom message level encryption if additional risk mitigation is needed.

featuresnap on 21 Nov 2019

👍1

I'm leaving this issue open since it is a common question.