All Azure Storage services (Table storage, Queue storage, Blob storage, and Azure Files) support server-side encryption at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. Storage accounts are encrypted regardless of their performance tier (Standard or Premium) or deployment model (Azure Resource Manager or classic). All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. Some services additionally have support for customer-managed keys and client-side encryption.

• Server-side: By default, service-managed keys are used by all Azure Storage services to support server-side encryption. Azure Blob storage and Azure Files also support RSA 2048-bit customer-managed keys in Azure Key Vault.
• Client-side: Client-side encryption is supported by Azure Blobs, Tables, and Queues. When using client-side encryption, key management is done by the customer. They also encrypt the data and upload the data as an encrypted blob.