You need to understand how Microsoft Copilot protects your data when it is stored on servers and when it moves between your device and the cloud. Encryption is the core security mechanism that prevents unauthorized access to your prompts, responses, and files. This article explains the difference between encryption at rest and encryption in transit, the specific technologies Microsoft uses for each, and how these protections apply to Copilot interactions. By the end, you will know exactly where encryption is applied and what settings you can verify in your Microsoft 365 tenant.
Key Takeaways: Copilot Data Encryption in Microsoft 365
- Azure Storage Service Encryption with 256-bit AES: Protects all Copilot data at rest on Microsoft servers.
- TLS 1.2 and 1.3 protocols: Encrypt all data traveling between your device and Microsoft 365 services during Copilot use.
- Microsoft Purview compliance portal > Data encryption settings: Lets tenant administrators review encryption policies and customer-managed key options.
What Encryption at Rest and In Transit Mean for Copilot
Encryption at rest protects data stored on physical hard drives, solid-state drives, or cloud storage systems. When you send a prompt to Copilot, the prompt, the generated response, and any related metadata are saved temporarily on Microsoft Azure servers. Azure Storage Service Encryption automatically encrypts this data using 256-bit Advanced Encryption Standard before writing it to disk. No user action is required, and the encryption keys are managed by Microsoft unless you enable customer-managed keys through Azure Information Protection.
Encryption in transit protects data while it moves across networks. When your Copilot request leaves your device, it travels through the internet to Microsoft 365 data centers. Transport Layer Security protocols encrypt this data stream so that anyone intercepting the network traffic sees only scrambled ciphertext. Microsoft requires TLS 1.2 or higher for all Copilot connections. Older protocols such as TLS 1.0 and SSL are blocked at the service level.
Both encryption layers work together. Data is encrypted before leaving your device, stays encrypted while traversing the internet, remains encrypted on the server, and is decrypted only when the Copilot service needs to process the request. After processing, the response is re-encrypted for the return trip to your device.
How Copilot Uses Encryption Keys
Microsoft uses separate key hierarchies for at-rest and in-transit encryption. For at-rest encryption, Azure Storage Service Encryption uses a root key stored in Azure Key Vault. This root key encrypts a data encryption key, which in turn encrypts the individual storage blocks containing your Copilot data. For in-transit encryption, TLS session keys are generated per connection and exchanged using public-key cryptography. These session keys are short-lived and discarded after each session ends.
Where Copilot Data Is Stored
Copilot data is stored in the same geographic region as your Microsoft 365 tenant. For example, if your tenant is hosted in the United States, Copilot data stays in Azure data centers within the United States. This geographic binding is part of Microsoft’s data residency commitments. Encryption at rest applies in every region, and the same 256-bit AES standard is used globally.
Steps to Verify Encryption Settings for Copilot in Your Tenant
You do not need to configure encryption manually for standard Copilot usage. Microsoft enables both at-rest and in-transit encryption by default. However, tenant administrators can verify the encryption policies and optionally enable customer-managed keys. Follow these steps to check the settings.
- Open the Microsoft Purview compliance portal
Sign in to the Microsoft 365 admin center at admin.microsoft.com. In the left navigation, select Compliance. This opens the Microsoft Purview compliance portal where data protection settings are managed. - Navigate to Data encryption settings
In the Purview portal, expand Data lifecycle management and select Microsoft 365 data encryption. This page shows the encryption status for all Microsoft 365 workloads, including Copilot. - Review the encryption summary
Look for the Encryption at rest section. It displays the encryption algorithm and key source. By default, the key source is Microsoft-managed. If your organization requires customer-managed keys, select Customer-managed keys and follow the key import or key generation wizard in Azure Key Vault. - Check TLS protocol requirements
In the same portal, go to Data lifecycle management > Data encryption in transit. Verify that Minimum TLS version is set to 1.2. This ensures all Copilot traffic uses the required encryption protocol. - Enable audit logging for encryption changes
To track any changes to encryption settings, go to Audit > Audit log search. Enable auditing if it is not already active. Search for activities such as Set encryption configuration or Update key policy to monitor administrative actions.
Common Misconceptions About Copilot Encryption
Encryption at rest means data is encrypted only when idle
Some users believe that data is decrypted when Copilot processes a prompt and remains decrypted until the next write operation. In reality, Azure Storage Service Encryption decrypts data only in memory for the exact duration needed to process the request. The decrypted data never touches the disk. Once processing completes, the data is immediately re-encrypted before being written back to storage.
Encryption in transit uses the same key for all connections
Each TLS session uses a unique session key generated through the Diffie-Hellman key exchange. Even if an attacker captures the private key of the server, they cannot decrypt past sessions because the session key is derived from ephemeral parameters. This property is called forward secrecy.
Customer-managed keys provide stronger encryption than Microsoft-managed keys
Both key management options use the same 256-bit AES encryption algorithm. The difference is in key control, not encryption strength. Customer-managed keys let you rotate, revoke, or audit key usage independently, which can help meet regulatory compliance requirements. The underlying cipher and key length are identical.
Copilot Encryption at Rest vs Encryption in Transit: Key Differences
| Item | Encryption at Rest | Encryption in Transit |
|---|---|---|
| Data state | Data stored on disk or cloud storage | Data moving across a network |
| Encryption technology | Azure Storage Service Encryption using 256-bit AES | TLS 1.2 or 1.3 with forward secrecy |
| Key management | Microsoft-managed keys by default; customer-managed keys optional | Ephemeral session keys generated per connection |
| When encryption is applied | Before writing to disk; after reading from disk | Before leaving the source device; after arriving at the destination |
| User configuration required | None for default settings | None for default settings |
| Scope | All Copilot prompts, responses, and metadata stored in Azure | All network traffic between the client and Microsoft 365 data centers |
You can now explain how encryption protects Copilot data in two distinct states. Use the Purview compliance portal to verify that TLS 1.2 is enforced and that at-rest encryption is active with your preferred key management option. For deeper control, consider enabling customer-managed keys in Azure Key Vault, which allows you to rotate keys on your own schedule and meet specific compliance frameworks such as FedRAMP or HIPAA.