- All content is encrypted, potentially with multiple keys, and distributed across the datacenter. Each file to be stored is broken into one or more chunks, depending its size. Then, each chunk is encrypted using its own unique key. Updates are handled similarly: the set of changes, or deltas, submitted by a user is broken into chunks, and each is encrypted with its own key.
- All of these chunks—files, pieces of files, and update deltas—are stored as blobs in our blob store. They also are randomly distributed across multiple blob containers.
- The set of encryption keys for these chunks of content is itself encrypted using an independently generated master key.
- The encrypted keys are stored in the SharePoint Content Database.
- The master key to decrypt the keys to the chunks is itself stored in a separate secure store called the Key Store.
- The “map” used to re-assemble the file from its components is stored in the Content Database along with the encrypted keys but separate from the master key needed to decrypt them.
- Each blob container has its own unique credentials per access type (read, write, enumerate, and delete). Each set of credentials is held in the secure Key Store and is regularly refreshed.
If not, I would think it is save to use...
More info: http://aka.ms/dataencryption
