Encrypting existing blobs in classic Azure Storage account

We have a few classic storage accounts in Azure with a number of files in blob storage that are not encrypted as they were uploaded before encryption was on by default for all uploads.

Per https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption:

Storage Service Encryption is enabled by default for all storage accounts--classic and Resource Manager, any existing files in the storage account created before encryption was enabled will retroactively get encrypted by a background encryption process.

However, we are not seeing any of the old blobs be retroactively encrypted.

Does the retroactive encryption of existing blobs only take place on ARM storage accounts? If so would migrating the storage accounts as described on https://docs.microsoft.com/en-us/azure/virtual-machines/windows/migration-classic-resource-manager-ps cause the old blobs to start encrypting in the background?


Solution 1:

Initially when SSE was added existing blobs did not get encrypted and you needed to move them out of the storage account and back in (or just move to a new storage account) to have them encrypted when they were first written.

The background encryption process for existing files was introduced at GA of SSE and I'm not clear on whether it applied to classic or not. However, if you migrate to an ARM storage account then yes they will get encrypted.