ALIF Consulting
Azure Managed Disk Encryption
Updated: Oct 26, 2022
About Alif: Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labelled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, SharePoint, Power Platform, SQL, Azure DevOps and a lot more. Our headquarter is in Pune, India whereas we work with over 50 partners across the globe that trust us with their client delivery.
Encryption is the process of encoding a message or information in a way that only authorized parties can access it and those who are not authorized cannot.
In Azure, We can take the of this feature on Azure VM in multiple ways and this allow use to encrypt the sensitive information available on Azure VM.

Data Encryption in Azure –
In Azure, We have three types of encryption method to protect the sensitive information
Azure Disk Encryption
Server-Side Encryption
Encryption at host
Azure Disk Encryption –
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows and DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
Azure Disk Encryption is zone resilient, the same way as Virtual Machines

Supported VM Sizes –
Windows VMs and Linux VMs are available in a range of sizes. Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs. Azure Disk Encryption is also available for VMs with premium storage.
Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory.
Supported OS –
Windows client: Windows 8 and later.
Windows Server: Windows Server 2008 R2 and later.
Windows 10 Enterprise multi-session.
Ubuntu
CentOS
REDHAT
SUSE
Server Side Encryption –
Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments.
Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud.
Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant
Encryption key management –
In Azure, We can used two types of managed key to encrypt and decrypt the information.
Platform-managed keys - By default, managed disks use platform-managed encryption keys. All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.
Customer-managed keys - You can choose to manage encryption at the level of each managed disk, with your own keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.

Encryption at host –
When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact your VM's performance.
Restrictions -
Doesn't support ultra-disks.
Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs/virtual machine scale sets.
Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
The encryption can be enabled on existing virtual machine scale set. However, only new VMs created after enabling the encryption are automatically encrypted.
Existing VMs must be deallocated and reallocated in order to be encrypted.
Supports ephemeral OS disks but only with platform-managed keys.

Here is a comparison of SSE, ADE, and encryption at host -
