Azure Storage Service Encryption (SSE) for Data at Rest is now available as part of the deployment of the ARM storage resource provider in Azure US Government regions
The official documentation for SSE states:
Azure Storage Service Encryption (SSE) for Data at Rest helps you protect and safeguard your data to meet your organizational security and compliance commitments. With this feature, Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users.
Once a storage account is enabled for SSE all new blob data written to the storage account will be encrypted with 256-bit AES encryption managed by Microsoft. Any existing blob data in the storage account will not be encrypted until some change occurs to the data which causes it to be written back to storage.
To get started with SSE in Azure US Government you first need to create a ARM storage account and place it in a new or existing resource group. This can be accomplished with the
New-AzureRMStorageAccount PowerShell command.
Enabling SSE on an ARM storage account is done with the
Set-AzureRMStorageAccount PowerShell command and passing in Blob as a option for the EnableEncryptionService parameter. For example, if you have a storage account named myencryptstorage in a resource group named storagerg you would run the following PowerShell command to enable SSE:
Set-AzureRMStorageAccount –Name myencryptstorage –ResourceGroupName storagerg –EnableEncryptionService Blob
To Verify that SSE is enabled on the storage account shown above you can run the command shown below. A return of true indicates that encryption is enabled on the storage account.
(get-azurermstorageaccount –ResourceGroupName storagerg –Name myencryptstorage).Encryption.Services.Blob.Enabled
For a complete description of SSE and answers to frequently asked questions, please review the official Azure documentation.