Azure disk encryption is an important thing inside Azure, with this post I want to set some bases to myseld in order to have established which types of encryption are available in Azure regarding to managed disks.
The main point is that currently we have available two services:
- The first one is Storage Service Encryption (SSE), which is performed by the storage service
- The second one isAzure Disk Encryption, which can be enabled on the OS and data disks for VMs
As you can imagine, both options are available for encryption purposes with Microsoft-managed encryption keys with SSE or our own encryption keys (aka BYOK). But let’s have a closer look to this services:
Storage Service Encryption (SSE): is enabled by default for all Managed Disks, Snapshots, and Images in all the regions where managed disks are available. By default, all new data written is automatically encrypted-at-rest with keys managed by Microsoft.
Azure Disk Encryption (ADE): allows to encrypt the OS and Data disks used by an IaaS Virtual Machine.
But, there is more, probably you will thinking, what happen with Windows and Linux Servers? Are we having the same encryption level? let me throw some lines to explain that…
For Windows, the drives are encrypted using industry-standard BitLocker encryption technology.
Meanwhile, for Linux, the disks are encrypted using the DM-Crypt technology. The encryption process is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys
Ok, I started to understand what you are talking, but what’s the Difference Between SSE & ADE?
The main difference relies on the Azure Disk Encryption provides integration between OS-based solutions like BitLocker and DM-Crypt and Azure Key Vault, while storage Service Encryption provides encryption natively at the Azure storage platform layer, below the virtual machine.
That’s all folkw, till next time!