Managing data encryption
For Azure Synapse workspaces, all data is stored with at least one layer of encryption, ensuring that data is never persisted on disk in its original, clear form. You don’t have the option to not encrypt data at rest. This applies to any of the analytical engines in Azure Synapse as well as to data persisted, even temporarily, by integration pipelines.
In addition to this first layer of encryption, Azure Synapse workspaces offer an optional, additional layer of encryption, named double encryption. This feature helps protect data and keeps it encrypted even if one of the encryption layers gets compromised. Double encryption uses a customer-managed key, which is stored in Azure Key Vault, giving you full responsibility for key management. The first layer of encryption, on the other hand, uses platform-managed keys, which you don’t have access to. Both layers use 256-bit Advanced Encryption Standard encryption, known simply as AES 256.