{"id":33077,"date":"2017-08-21T04:45:25","date_gmt":"2017-08-21T08:45:25","guid":{"rendered":"http:\/\/www.opensource.im\/uncategorized\/data-encryption-in-onedrive-for-business-and-sharepoint-online.php"},"modified":"2017-08-21T04:45:25","modified_gmt":"2017-08-21T08:45:25","slug":"data-encryption-in-onedrive-for-business-and-sharepoint-online","status":"publish","type":"post","link":"https:\/\/euvolution.com\/open-source-convergence\/encryption\/data-encryption-in-onedrive-for-business-and-sharepoint-online.php","title":{"rendered":"Data Encryption in OneDrive for Business and SharePoint Online"},"content":{"rendered":"<p><p>    This documentation is archived and is not being maintained.  <\/p>\n<p>            We are in the process of combining the            SharePoint Server 2013 and SharePoint Server 2016            content into a single content set. We appreciate your            patience while we reorganize things. See the Applies To            tag at the top of each article to find out which            version of SharePoint an article applies to.          <\/p>\n<p>            Applies to: OneDrive for Business,            SharePoint Online          <\/p>\n<p>            Topic Last Modified:            2017-07-31          <\/p>\n<p>            Summary: Learn how encryption of data            security works in OneDrive for Business and SharePoint            Online.          <\/p>\n<p>            Understand the basic elements of encryption for data            security in OneDrive for Business and SharePoint            Online.          <\/p>\n<p>                Office 365 is a highly secure environment that                offers extensive protection in multiple layers:                physical data center security, network security,                access security, application security, and data                security. This article specifically focuses on the                in-transit and at-rest encryption side of data                security for OneDrive for Business and SharePoint                Online.              <\/p>\n<p>                For a description of Office 365 security as a                whole, see Security                in Office 365 White Paper.              <\/p>\n<p>                Watch how data encryption works in the following                video.              <\/p>\n<p>                In OneDrive for Business and SharePoint Online,                there are two scenarios in which data enters and                exits the datacenters.              <\/p>\n<p>                    Client communication with the                    server Communication to OneDrive for                    Business across the Internet uses SSL\/TLS                    connections. All SSL connections are                    established using 2048-bit keys.                  <\/p>\n<p>                    Data movement between                    datacenters The primary reason to move                    data between datacenters is for geo-replication                    to enable disaster recovery. For instance, SQL                    Server transaction logs and blob storage deltas                    travel along this pipe. While this data is                    already transmitted by using a private network,                    it is further protected with best-in-class                    encryption.                  <\/p>\n<p>                Encryption at rest includes two components:                BitLocker disk-level encryption and per-file                encryption of customer content.              <\/p>\n<p>                BitLocker is deployed for OneDrive for Business and                SharePoint Online across the service. Per-file                encryption is also deployed in OneDrive for                Business and SharePoint Online in Office 365                multi-tenant and new dedicated environments that                are built on multi-tenant technology.              <\/p>\n<p>                While BitLocker encrypts all data on a disk,                per-file encryption goes even further by including                a unique encryption key for each file. Further,                every update to every file is encrypted using its                own encryption key. Before theyre stored, the keys                to the encrypted content are stored in a physically                separate location from the content. Every step of                this encryption uses Advanced Encryption Standard                (AES) with 256-bit keys and is Federal Information                Processing Standard (FIPS) 140-2 compliant. The                encrypted content is distributed across a number of                containers throughout the datacenter, and each                container has unique credentials. These credentials                are stored in a separate physical location from                either the content or the content keys.              <\/p>\n<p>                For additional information about FIPS 140-2                compliance, see FIPS                140-2 Compliance, and for AES with 256 bit see,                Keep                Your Data Secure with the New Advanced Encryption                Standard.              <\/p>\n<p>                File-level encryption at rest takes advantage of                blob storage to provide for virtually unlimited                storage growth and to enable unprecedented                protection. All customer content in OneDrive for                Business and SharePoint Online will be migrated to                blob storage. Heres how that data is secured:              <\/p>\n<p>                    All content is encrypted, potentially with                    multiple keys, and distributed across the                    datacenter. Each file to be stored is broken                    into one or more chunks, depending its size.                    Then, each chunk is encrypted using its own                    unique key. Updates are handled similarly: the                    set of changes, or deltas, submitted by a user                    is broken into chunks, and each is encrypted                    with its own key.                  <\/p>\n<p>                    All of these chunksfiles, pieces of files, and                    update deltasare stored as blobs in our blob                    store. They also are randomly distributed                    across multiple blob containers.                  <\/p>\n<p>                    The map used to re-assemble the file from its                    components is stored in the Content Database.                  <\/p>\n<p>                    Each blob container has its own unique                    credentials per access type (read, write,                    enumerate, and delete). Each set of credentials                    is held in the secure Key Store and is                    regularly refreshed.                  <\/p>\n<p>                In other words, there are three different types of                stores involved in per-file encryption at rest,                each with a distinct function:              <\/p>\n<p>                    Content is stored as encrypted blobs in the                    blob store. The key to each chunk of content is                    encrypted and stored separately in the content                    database. The content itself holds no clue as                    to how it can be decrypted.                  <\/p>\n<p>                    The Content Database is a SQL Server database.                    It holds the map required to locate and                    reassemble all of the content blobs held in the                    blob store as well as the keys needed to                    decrypt those blobs.                  <\/p>\n<p>                Each of these three storage componentsthe blob                store, the Content Database, and the Key Storeis                physically separate. The information held in any                one of the components is unusable on its own. This                provides an unprecedented level of security.                Without access to all three it is impossible to                retrieve the keys to the chunks, decrypt the keys                to make them usable, associate the keys with their                corresponding chunks, decrypt any chunk, or                reconstruct a document from its constituent chunks.              <\/p>\n<p><!-- Auto Generated --><\/p>\n<p>Follow this link:<br \/>\n<a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dn905447.aspx\" title=\"Data Encryption in OneDrive for Business and SharePoint Online\">Data Encryption in OneDrive for Business and SharePoint Online<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> This documentation is archived and is not being maintained. We are in the process of combining the SharePoint Server 2013 and SharePoint Server 2016 content into a single content set. We appreciate your patience while we reorganize things<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45],"tags":[],"class_list":["post-33077","post","type-post","status-publish","format-standard","hentry","category-encryption"],"_links":{"self":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/posts\/33077"}],"collection":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/comments?post=33077"}],"version-history":[{"count":0,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/posts\/33077\/revisions"}],"wp:attachment":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/media?parent=33077"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/categories?post=33077"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/tags?post=33077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}