The encrypted content is distributed across a number of containers throughout the datacenter, and each container has unique credentials. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The keys to the encrypted content are stored in a physically separate location from the content.
Further, every update to every file is encrypted using its own encryption key. While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology.
While this data is already transmitted by using a private network, it is further protected with best-in-class encryption.Įncryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of customer content.īitLocker is deployed for OneDrive for Business and SharePoint Online across the service. For instance, SQL Server transaction logs and blob storage deltas travel along this pipe. All SSL connections are established using 2048-bit keys.ĭata movement between datacenters The primary reason to move data between datacenters is for geo-replication to enable disaster recovery. In OneDrive for Business and SharePoint Online, there are two scenarios in which data enters and exits the datacenters.Ĭlient communication with the server Communication to OneDrive for Business across the Internet uses SSL/TLS connections.