Questions regarding Infrastructure encryption

[asgoe]

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the SDK was used?

12.13.1

Which platform are you using? (ex: .NET Core 2.1)

.NET Core 3.0

What problem was encountered?

I am from the Intune team under Management and Security. During our security review few questions came up regarding the encryption provided by Azure storage. The link below mentions
"Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption.

To enable infrastructure encryption for a storage account, you must configure a storage account to use infrastructure encryption at the time that you create the account. Infrastructure encryption cannot be enabled or disabled after the account has been created. The storage account must be of type general-purpose v2 or premium block blob."

[Question] In the above, can you provide more information on the below questions?

• Are these two instances of the same algorithm (at service layer and infrastructure layer) OR are they two different algorithms?
• If there is some kind of security breach, are the two keys kept in the separate locations?
• If the account keys are compromised, would infrastructure encryption be able to provide any protection?
• In what kind of scenarios does the additional encryption help and protect the customer data? It is not clear from the article where this will be helpful.

https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal

How can we reproduce the problem in the simplest way?

No problem to re-produce

Have you found a mitigation/solution?

N/A