top of page

Azure Managed Disk Encryption

Updated: May 22

Encryption is the process of encoding a message or information in a way that only authorized parties can access it, and those who are not authorized cannot.


In Azure, We can take use of this feature on Azure VM in multiple ways, and this allows us to encrypt the sensitive information available on Azure VM.


Azure Managed disk encryption

Data Encryption in Azure

In Azure, We have three types of encryption methods to protect the sensitive information

  • Azure Disk Encryption

  • Server-Side Encryption

  • Encryption at host

Azure Disk Encryption

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs) and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Azure Disk Encryption is zone resilient, the same way as Virtual Machines


Azure key vault & Disk encryption

Supported VM Sizes

Windows VMs and Linux VMs are available in a range of sizes. Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs. Azure Disk Encryption is also available for VMs with premium storage.

Azure Disk Encryption is not available on Basic, A-series VMs or on virtual machines with less than 2 GB of memory.

Supported OS –

  • Windows client: Windows 8 and later.

  • Windows Server: Windows Server 2008 R2 and later.

  • Windows 10 Enterprise multi-session.

  • Ubuntu

  • CentOS

  • REDHAT

  • SUSE

Server Side Encryption

Most Azure-managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments.

Azure Storage encryption automatically encrypts your data stored on Azure-managed disks (OS and data disks) at rest by default when persisting it to the cloud.

Data in Azure-managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant


Encryption key management

In Azure, We can use two types of managed keys to encrypt and decrypt the information.


Platform-managed keys - By default, managed disks use platform-managed encryption keys. All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted at rest with platform-managed keys.

Customer-managed keys - You can choose to manage encryption at the level of each managed disk with your own keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.


SSE CMK workflow

Encryption at host

When you enable encryption at the host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at the host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at the host encrypts your data from end to end. Encryption at the host does not use your VM's CPU and doesn't impact your VM's performance.


Restrictions

  • Doesn't support ultra-disks.

  • It cannot be enabled if Azure Disk Encryption (guest-VM encryption using BitLocker/DM-Crypt) is enabled on your VMs/virtual machine scale sets.

  • Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.

  • The encryption can be enabled on the existing virtual machine scale set. However, only new VMs created after enabling the encryption are automatically encrypted.

  • Existing VMs must be deallocated and reallocated in order to be encrypted.

  • Supports ephemeral OS disks but only with platform-managed keys.

Azure key vault

Here is a comparison of SSE, ADE, and Encryption at Host


Comparison of SSE and ADE







630 views0 comments

Comentarios


bottom of page