Allow encryption of blob storage at a container instead of account level
Please consider allowing encryption to be applied at a per-container level instead of at the account level. Given a request to store one client's data at a different place, with a different encryption key than another client's data, my only option to comply is to split client data across multiple storage accounts today.
This is problematic since there's a cap of how many accounts I can have per account (presently at 250), which means that management will grow increasingly more difficult when I have to start spanning subscriptions to access my blob resources.
Rather, if I were able to encrypt containers separately from one another, my calculus for designing the solution would instead shift to looking at IOPS and RBAC limitations to determine where data is stored across accounts, meaning that I'd hit the storage limit far more slowly and have more options for accommodating co-location requests.
Thank you for you feedback.The Azure Storage team is in the process of enabling encryption by default by using Microsoft Managed Keys for all data that is written to Azure Storage (Blob, File, Table and Queue storage), and for all storage accounts (Azure Resource Manager and Classic storage accounts), both new and existing. For any further questions, or to discuss your specific scenario, send us an email at firstname.lastname@example.org.