cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

deepakmishra
Copper Contributor

‎Aug 15 2020 03:39 AM - last edited on ‎May 24 2021 02:10 PM by

‎Aug 15 2020 03:39 AM - last edited on ‎May 24 2021 02:10 PM by

Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

Wanted to pick everyone's brain on Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE).

ADE vs SSE is a burning topic at work for me right now as we are trying to define what our standards should be.

 

SSE + CMK was launched in April 2020 which is said to be an improvement on ADE but Azure Security Center still flags you if you don't have ADE.

 

Also, MS came out with two news types of Disk Encryption - Encryption at Host and Double Encryption.  Encryption at Host is supposed to be better than ADE but is incompatible with ADE. 

 

There are not a lot of resources out there on this. I have scoured through whatever I could find.

 

Would love to hear thoughts on ADE and SSE. Do you think SSE + CMK is better than ADE ?

15.2K Views
1 Like
5 Replies
Reply
5 Replies
Secguy03

‎Feb 12 2021 07:46 AM

‎Feb 12 2021 07:46 AM

Re: Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

@deepakmishraHi, Curious if you received any responses to your query, I'm in exactly the same boat and looking for information on changes/updates.

 

Thanks!

0 Likes
Reply
goncalvesjfet

‎Apr 03 2021 06:04 PM

‎Apr 03 2021 06:04 PM

Re: Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

@deepakmishra 

it could be helpful to respond your question:
Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.
more references you could visit: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption

 

BR

Juan Goncalves

0 Likes
Reply
egodigitus

‎Aug 26 2021 06:48 AM

‎Aug 26 2021 06:48 AM

Re: Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

There is an awesome video covering this topic
https://youtu.be/EOXgzTqceok?t=925

In short:

SSE is better and newer than ADE

(with some minor exceptions like cache & data in transit encryption)

The new best practice is called host-based encryption. Still in preview as of writing
( https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal )

1 Like
Reply
deepakmishra

‎Aug 26 2021 09:11 PM - edited ‎Aug 26 2021 09:14 PM

‎Aug 26 2021 09:11 PM - edited ‎Aug 26 2021 09:14 PM

Re: Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

@egodigitus Haha - this is insane. I found the video 2 days ago and this clarified the questions I had a year ago.

Still cant believe the video was posted 6 months ago and I missed it.

John is the man!!!

 

Encryption at Host should covers most of the qualms around Disk Encryption. However, it doesn't address someone with the right permissions copying a VHD. This remains addressed only by ADE.

This can be resolved through creating a custom role that doesn't allow most users to export the VHD.

1 Like
Reply
Secguy03

‎Aug 30 2021 10:09 AM

‎Aug 30 2021 10:09 AM

Re: Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)

The missing link! Awesome info, many thanks!
0 Likes
Reply