How to secure sensitive data in Durable Functions?

[featuresnap]

Hello, it appears that the Durable Functions table storage (ie. History) contains JSON-serialized inputs/outputs passed to/from durable orchestrations and activities. If durable functions handle "sensitive" values, are there any provisions for encrypting the stored data, so that only the Azure function app can read the data? Or is this something that needs to be controlled through storage permissions alone, such that nobody except for the function app's identity has permission to access the storage?

[CarlosSardo]

Hi @featuresnap ,

Take a look at the Azure Storage encryption for data at rest docs. Hopefully it clarifies your questions about Azure Storage encryption options.

Thanks!

[featuresnap]

Thanks @CarlosSardo for this information. Would this protect Azure Function history contents from being viewed in plaintext in the Azure Portal or via Storage Explorer?

[CarlosSardo]

You'd still be able to view the contents in plain text, as long as you have normal access to the storage account.

As far as I'm aware, there's no built-in option in the underlying serializer (used by Durable Functions) to encrypt parameter data before being persisted in storage.

[featuresnap]

Thanks @CarlosSardo makes sense. Our MS rep also confirmed that it would be best to focus on strong controls around access to storage accounts used by durable functions, and possibly supplement with custom message level encryption if additional risk mitigation is needed.

[cgillum]

I'm leaving this issue open since it is a common question.

[ConnorMcMahon]

We now have official documentation about data persistance and serialization. This GitHub repo also is a great resource for encrypting data for C# devs.