Azure Storage Encryption and Azure Disk Encryption – Demystified?

Developer Support

In this post, Sr. App Dev Manager Mark Pazicni lays out the capabilities of Azure Storage Service Encryption (SSE) and Azure Disk Encryption (ADE) to help clarify their applications.


With Azure Storage Service Encryption (SSE), your data is just encrypted.

New and existing Azure Storage Account are now 256-bit AES encrypted to storage data encrypted while it is at rest.

  • Supported in both Standard and Premier.
  • Supported in both ARM and classic Storage Accounts.
  • All the keys for the encryption is managed by Microsoft or you can provide your own encryption keys.
  • All data within the Storage Account (blob, queue, table and files) are encrypted.
  • SSE does not affect performance.
  • Existing data in Storage Account is now encrypted by a background process.
  • Only new data will be encrypted (new writes to Storage Account).
  • You incur no additional cost.
  • On SSE enabled Storage Accounts, data will be decrypted upon reads.
  • Because encryption is now on by default, there is no provision to disable encryption.

 

clip_image002

Azure Disk Encryption (ADE) encrypts both your OS and Data disks for IaaS VMs.

  • OS volume encryption protects boot volumes while at rest.
  • Data volume encryption protects data volumes while at rest.
  • OS and data drives for Windows IaaS VMs can be disabled.
  • Data drives for Linux IaaS VMs can be disabled (only is OS drive not encrypted).
  • Azure Key Vault within the subscription is used to store the encryption keys and secrets.
  • Azure Backup Service can be used to backup and restore encrypted VMs.
  • Azure gallery supported images can be encrypted.
  • Customer VHDs must be pre-encrypted before deploying to Azure.
  • Before encrypting managed disk, a snapshot is required otherwise unexpected failures could render VM inaccessible.

Azure Disk Encryption is supported on the following Linux server distributions and versions:

Linux distribution Version Volume type supported for encryption
Ubuntu 16.04-DAILY-LTS OS and data disk
Ubuntu 14.04.5-DAILY-LTS OS and data disk
RHEL 7.4 Data disk*
RHEL 7.3 Data disk*
RHEL 7.2 Data disk*
RHEL 6.8 Data disk*
RHEL 6.7 Data disk*
CentOS 7.3 OS and data disk
CentOS 7.2n OS and data disk
CentOS 6.8 OS and data disk
CentOS 7.1 Data disk
CentOS 7.0 Data disk
CentOS 6.7 Data disk
CentOS 6.6 Data disk
CentOS 6.5 Data disk
openSUSE 13.2 Data disk
SLES 12 SP1 Data disk
SLES Priority:12-SP1 Data disk
SLES HPC 12 Data disk
SLES Priority:11-SP4 Data disk
SLES 11 SP4 Data disk

Encryption scenarios

The Azure Disk Encryption solution supports the following customer scenarios:

  • Enable encryption on new IaaS VMs created from pre-encrypted VHD and encryption keys
  • Enable encryption on new IaaS VMs created from the supported Azure Gallery images
  • Enable encryption on existing IaaS VMs running in Azure
  • Disable encryption on Windows IaaS VMs
  • Disable encryption on data drives for Linux IaaS VMs
  • Enable encryption of managed disk VMs
  • Update encryption settings of an existing encrypted premium and non-premium storage VM
  • Backup and restore of encrypted VMs

The solution supports the following scenarios for IaaS VMs when they are enabled in Microsoft Azure:

  • Integration with Azure Key Vault
  • Standard tier VMs: A, D, DS, G, GS, F, and so forth series IaaS VMs
  • Enable encryption on Windows/Linux IaaS VMs and managed disk VMs from the supported Azure Gallery images
  • Disable encryption on OS and data drives for Windows IaaS VMs and managed disk VMs
  • Disable encryption on data drives for Linux IaaS VMs and managed disk VMs
  • Enable encryption on IaaS VMs running Windows Client OS
  • Enable encryption on volumes with mount paths
  • Enable encryption on Linux VMs configured with disk striping (RAID) using mdadm
  • Enable encryption on Linux VMs using LVM for data disks
  • Enable encryption on Linux LVM 7.3 for OS and data disks
  • Enable encryption on Windows VMs configured with Storage Spaces
  • Update encryption settings of an existing encrypted premium and non-premium storage VM
  • Backup and restore of encrypted VMs, for both no-KEK and KEK scenarios (KEK – Key Encryption Key)
  • All Azure Public and AzureGov regions are supported

The solution does not support the following scenarios, features, and technology:

  • Basic tier IaaS VMs
  • Disabling encryption on an OS drive for Linux IaaS VMs
  • Disabling encryption on a data drive if the OS drive is encrypted for Linux IaaS VMs
  • IaaS VMs that are created by using the classic VM creation method
  • Enable encryption on Windows and Linux IaaS VMs; custom images are NOT supported
  • Integration with your on-premises Key Management Service

Azure Files (shared file system), Network File System (NFS), dynamic volumes, and Windows VMs that are configured with software-based RAID systems

Additional Links

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption#overview


Premier Support for Developers provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality.  Contact your Application Development Manager (ADM) or email us to learn more about what we can do for you.

0 comments

Discussion is closed.

Feedback usabilla icon