Search code examples
azurepowershellencryptionazure-devopsazure-storage-account

How to get Azure storage account Infrastructure encryption status in powershell

I am trying to check the Infrastructure encryption status via powershell. Here is the screenshot Encryption

I referenced this doc("https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal") and tried the below script but didn't get any result.

$account = Get-AzStorageAccount -ResourceGroupName ` -StorageAccountName $account.Encryption.RequireInfrastructureEncryption

Is there a way to see if the Infrastructure encryption is enabled or disabled?

Thank you

Solution

  • From that docs, there are two kinds of encryption levels for Azure storage account, at the service level and at the infrastructure level. By default, Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level.

    To doubly encrypt your data, you must first create a storage account that is configured for infrastructure encryption.

    In this case, if you have not enabled the infrastructure encryption, you could see the "requireInfrastructureEncryption": null with Azure CLI.

    az storage account show --name <storage-account> --resource-group <resource-group>

    enter image description here

    To Verify that infrastructure encryption is enabled, you could Register to use infrastructure encryption,

    Register-AzProviderFeature -ProviderNamespace Microsoft.Storage `
    -FeatureName AllowRequireInfraStructureEncryption

    Create an account with infrastructure encryption enabled,

    New-AzStorageAccount -ResourceGroupName <resource_group> `
    -AccountName <storage-account> `
    -Location <location> `
    -SkuName "Standard_RAGRS" `
    -Kind StorageV2 `
    -RequireInfrastructureEncryption

    Then you can Verify that infrastructure encryption is enabled with the PowerShell scripts.

    $account = Get-AzStorageAccount -ResourceGroupName <resource-group> `
    -StorageAccountName <storage-account>
$account.Encryption.RequireInfrastructureEncryption

    enter image description here