Forum Discussion
Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)
it could be helpful to respond your question:
Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.
more references you could visit: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption
BR
Juan Goncalves
There is an awesome video covering this topic
https://youtu.be/EOXgzTqceok?t=925
In short:
SSE is better and newer than ADE
(with some minor exceptions like cache & data in transit encryption)
The new best practice is called host-based encryption. Still in preview as of writing
( https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal )
- The missing link! Awesome info, many thanks!
egodigitus Haha - this is insane. I found the video 2 days ago and this clarified the questions I had a year ago.
Still cant believe the video was posted 6 months ago and I missed it.
John is the man!!!
Encryption at Host should covers most of the qualms around Disk Encryption. However, it doesn't address someone with the right permissions copying a VHD. This remains addressed only by ADE.
This can be resolved through creating a custom role that doesn't allow most users to export the VHD.
