Aug 15 2020
03:39 AM
- last edited on
May 24 2021
02:10 PM
by
TechCommunityAP
Aug 15 2020
03:39 AM
- last edited on
May 24 2021
02:10 PM
by
TechCommunityAP
Wanted to pick everyone's brain on Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE).
ADE vs SSE is a burning topic at work for me right now as we are trying to define what our standards should be.
SSE + CMK was launched in April 2020 which is said to be an improvement on ADE but Azure Security Center still flags you if you don't have ADE.
Also, MS came out with two news types of Disk Encryption - Encryption at Host and Double Encryption. Encryption at Host is supposed to be better than ADE but is incompatible with ADE.
There are not a lot of resources out there on this. I have scoured through whatever I could find.
Would love to hear thoughts on ADE and SSE. Do you think SSE + CMK is better than ADE ?
Feb 12 2021 07:46 AM
@deepakmishraHi, Curious if you received any responses to your query, I'm in exactly the same boat and looking for information on changes/updates.
Thanks!
Apr 03 2021 06:04 PM
it could be helpful to respond your question:
Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.
more references you could visit: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption
BR
Juan Goncalves
Aug 26 2021 06:48 AM
There is an awesome video covering this topic
https://youtu.be/EOXgzTqceok?t=925
In short:
SSE is better and newer than ADE
(with some minor exceptions like cache & data in transit encryption)
The new best practice is called host-based encryption. Still in preview as of writing
( https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal )
Aug 26 2021 09:11 PM - edited Aug 26 2021 09:14 PM
@egodigitus Haha - this is insane. I found the video 2 days ago and this clarified the questions I had a year ago.
Still cant believe the video was posted 6 months ago and I missed it.
John is the man!!!
Encryption at Host should covers most of the qualms around Disk Encryption. However, it doesn't address someone with the right permissions copying a VHD. This remains addressed only by ADE.
This can be resolved through creating a custom role that doesn't allow most users to export the VHD.
Aug 30 2021 10:09 AM