Skip to main content
Back to the Azure Footguns Database
SecurityMediumRareAZF-0035

Storage infrastructure encryption silently drops your second at-rest layer

Infrastructure (double) encryption adds a second at-rest layer under the standard one. It can only be set at account creation, so once it's off, it stays off.

Footgun ID
AZF-0035 (Azure Footgun No. 35)
Azure service
Azure Storage
Resource type
Microsoft.Storage/storageAccounts
Updated
July 1, 2026

What it is

Azure Storage encrypts data at rest by default. Infrastructure encryption adds a second, independent encryption layer beneath that default one, so data is encrypted twice with separate keys. When requireInfrastructureEncryption is false, the account has only the single default layer and the defense-in-depth benefit is gone.

Impact (security)
Removes the second, independent at-rest encryption layer — defense-in-depth is gone
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Infrastructure encryption is off by default and can only be enabled when the storage account is created. There is no toggle to turn it on later, so an account provisioned without it never gets the second layer unless someone recreates the account.

Because the default single layer already reports the account as "encrypted," dashboards and quick reviews show a green check and nobody notices the second layer was never there. The control also flips false in drift if an account is re-templated from a definition that omits the property, and Azure treats that as a perfectly valid configuration.

What it costs / blast radius

There is no direct dollar cost — infrastructure encryption is free. The blast radius is a reduced defense-in-depth posture: a single flaw in the default encryption layer (an implementation bug, a key-management mistake) is no longer backstopped by an independent second layer. (Azure behavior; authored assessment.) For workloads under regulatory or contractual double-encryption requirements, the account is simply non-compliant, and because the setting is creation-time only, fixing it means migrating data to a new account.

See it

Footgun: account created without the second encryption layer
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata001'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    // requireInfrastructureEncryption omitted -> defaults to false
    // single default at-rest layer only
  }
}
Fix: require infrastructure encryption at creation (it cannot be added later)
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata001'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    encryption: {
      requireInfrastructureEncryption: true   // second, independent at-rest layer
      services: {
        blob: { enabled: true }
        file: { enabled: true }
      }
    }
  }
}

How StratoLens helps

StratoLens flags storage accounts running without infrastructure encryption and tracks the setting across every subscription in your tenant, so an account that was provisioned single-layered doesn't quietly pass a compliance review. Because the control is creation-time only, catching it early is the whole game, and the check runs continuously without anyone remembering to look.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.