Encryption in Az - Confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-1516602%22%20slang%3D%22en-US%22%3EEncryption%20in%20Az%20-%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516602%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone.%20I%20did%20not%20know%20how%20to%20answer%20these%20questions%20so%20maybe%20some%20of%20you%20have%20experiences%20with%20encryption.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20The%20wording%20is%20quite%20difficult.%20Is%20Service-side%20enryption%20%3D%20Storage%20Service%20Encryption%3F%20Both%20use%20the%20SSE.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E2.%20In%20the%20constraints%20i%20saw%20%22%3CSPAN%3EManaged%20disks%20encrypted%20using%20customer-managed%20keys%20cannot%20also%20be%20encrypted%20with%20Azure%20Disk%20Encryption.%22.%20Why%20that%3F%20As%20i%20know%2C%20SSE%20with%20CMK%20and%20ADE%20are%20not%20same%20things%2C%20right%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20The%20abbreviation%20KEK%20is%20confusing.%20I%20thought%20that's%20what%20is%20used%20in%20SSE%20(the%20CMK)%20respectively%20during%20ADE%20(when%20I%20add%20a%20key%20to%20the%20key%20vault%20and%20use%20it%20for%20the%20disk%20encryption).%20Now%20i%20saw%20there%20is%20in%20premium%20key%20vault%20the%20option%20%22KEK%20for%20BYOK%22.%20Whats%20the%20difference%2C%20what%20is%20the%20KEK%20now%3F%20For%20what%20do%20i%20need%20that%20KEK%20for%20BYOK%20if%20i%20already%20have%20my%20KEK%20as%20i%20added%20key%20in%20key%20vault%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E4.%20It%20is%20recommended%20to%20use%20a%20key%20in%20key%20vault%20for%20ADE%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1516602%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKey%20Vault%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1590500%22%20slang%3D%22en-US%22%3ERe%3A%20Encryption%20in%20Az%20-%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1590500%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F725866%22%20target%3D%22_blank%22%3E%40marekatai%3C%2FA%3E%26nbsp%3BGreat%20questions.%20I%20have%20similar%20questions%20on%20SSE%20and%20ADE.%20I%20will%20try%20my%20best%20to%20give%20my%20thoughts%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20The%20wording%20is%20quite%20difficult.%20Is%20Service-side%20enryption%20%3D%20Storage%20Service%20Encryption%3F%20Both%20use%20the%20SSE.%3CBR%20%2F%3E-%26gt%3B%20It%20is%20confusing.%20And%20for%20the%20SSE%20referred%20to%20here%2C%20both%20are%20correct.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EService-side%20encryption%20is%20anything%20that%20Azure%20does%20to%20encrypt%20the%20disk.%20Azure%20is%20taking%20care%20of%20the%20encryption%20technology%20as%20opposed%20to%20us%20taking%20care%20of%20it%20which%20would%20be%20client-side%20encryption.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20way%20in%20which%20Azure%20does%20Service-side%20encryption(SSE)is%20through%26nbsp%3BStorage%20Service%20Encryption(SSE).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20In%20the%20constraints%20i%20saw%20%22%3C%2FSPAN%3E%3CSPAN%3EManaged%20disks%20encrypted%20using%20customer-managed%20keys%20cannot%20also%20be%20encrypted%20with%20Azure%20Disk%20Encryption.%22.%20Why%20that%3F%20As%20i%20know%2C%20SSE%20with%20CMK%20and%20ADE%20are%20not%20same%20things%2C%20right%3F%3CBR%20%2F%3E-%26gt%3B%20Big%20debate%2C%20for%20me%20at%20least.%20Which%20is%20better%20-%20ADE%20or%20SSE.%20They%20are%20definitely%20different%20things.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESSE%20happens%20at%20the%20storage%20account%20level.%20SSE%2BCMK%20just%20means%20that%20you%20can%20bring%20your%20own%20key%20to%20encryption%20the%20platform%20keys.%3CBR%20%2F%3EADE%20happens%20at%20OS%20disk%20level.%20You%20can%20have%20KEK%20for%20ADE%20as%20well.%3CBR%20%2F%3EThis%20link%20can%20help%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.sanganakauthority.com%2F2020%2F01%2Fazure-vm-disk-encryption-storage-side.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.sanganakauthority.com%2F2020%2F01%2Fazure-vm-disk-encryption-storage-side.html%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20The%20abbreviation%20KEK%20is%20confusing.%20I%20thought%20that's%20what%20is%20used%20in%20SSE%20(the%20CMK)%20respectively%20during%20ADE%20(when%20I%20add%20a%20key%20to%20the%20key%20vault%20and%20use%20it%20for%20the%20disk%20encryption).%20Now%20i%20saw%20there%20is%20in%20premium%20key%20vault%20the%20option%20%22KEK%20for%20BYOK%22.%20Whats%20the%20difference%2C%20what%20is%20the%20KEK%20now%3F%20For%20what%20do%20i%20need%20that%20KEK%20for%20BYOK%20if%20i%20already%20have%20my%20KEK%20as%20i%20added%20key%20in%20key%20vault%3F%3CBR%20%2F%3E-%26gt%3B%20This%20scenario%20helps%20with%20bringing%20your%20own%20keys%20for%20added%20security%20and%20compliance%20considerations.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fkeys%2Fhsm-protected-keys-byok%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fkeys%2Fhsm-protected-keys-byok%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSPAN%3E4.%20It%20is%20recommended%20to%20use%20a%20key%20in%20key%20vault%20for%20ADE%3F%3C%2FSPAN%3E%3CBR%20%2F%3E-%26gt%3B%20I'll%20tell%20you%20what%20I've%20been%20hearing%20-%20'Depends%20on%20your%20use%20case'.%20It%20really%20does.%20If%20you're%20from%2C%20Security%2C%20you'll%20probably%20have%20to%20define%20when%20to%20use%20SSE%20or%20ADE.%20If%20you're%20a%20dev%20or%20architect%2C%20you%20should%20be%20aware%20that%20these%20things%20exist%2C%20how%20they%20work%20and%20help%20explain%20this.%3CBR%20%2F%3EIn%20terms%20of%20whether%20the%20key%20is%20secure%20in%20Key%20Vault%2C%20I%20think%20so.%20The%20scenarios%20where%20it%20wouldn't%20be%20safe%20are%20unimaginably%20thin.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHope%20this%20helped.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone. I did not know how to answer these questions so maybe some of you have experiences with encryption.

 

1. The wording is quite difficult. Is Service-side enryption = Storage Service Encryption? Both use the SSE. 

2. In the constraints i saw "Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.". Why that? As i know, SSE with CMK and ADE are not same things, right?

3. The abbreviation KEK is confusing. I thought that's what is used in SSE (the CMK) respectively during ADE (when I add a key to the key vault and use it for the disk encryption). Now i saw there is in premium key vault the option "KEK for BYOK". Whats the difference, what is the KEK now? For what do i need that KEK for BYOK if i already have my KEK as i added key in key vault?

 

4. It is recommended to use a key in key vault for ADE?

 

Kind regards

1 Reply

@marekatai Great questions. I have similar questions on SSE and ADE. I will try my best to give my thoughts this.

 

1. The wording is quite difficult. Is Service-side enryption = Storage Service Encryption? Both use the SSE.
-> It is confusing. And for the SSE referred to here, both are correct.

Service-side encryption is anything that Azure does to encrypt the disk. Azure is taking care of the encryption technology as opposed to us taking care of it which would be client-side encryption. 

The way in which Azure does Service-side encryption(SSE)is through Storage Service Encryption(SSE).

 

2. In the constraints i saw "Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.". Why that? As i know, SSE with CMK and ADE are not same things, right?
-> Big debate, for me at least. Which is better - ADE or SSE. They are definitely different things.

SSE happens at the storage account level. SSE+CMK just means that you can bring your own key to encryption the platform keys.
ADE happens at OS disk level. You can have KEK for ADE as well.
This link can help - https://www.sanganakauthority.com/2020/01/azure-vm-disk-encryption-storage-side.html

3. The abbreviation KEK is confusing. I thought that's what is used in SSE (the CMK) respectively during ADE (when I add a key to the key vault and use it for the disk encryption). Now i saw there is in premium key vault the option "KEK for BYOK". Whats the difference, what is the KEK now? For what do i need that KEK for BYOK if i already have my KEK as i added key in key vault?
-> This scenario helps with bringing your own keys for added security and compliance considerations.
https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok


4. It is recommended to use a key in key vault for ADE?
-> I'll tell you what I've been hearing - 'Depends on your use case'. It really does. If you're from, Security, you'll probably have to define when to use SSE or ADE. If you're a dev or architect, you should be aware that these things exist, how they work and help explain this.
In terms of whether the key is secure in Key Vault, I think so. The scenarios where it wouldn't be safe are unimaginably thin.


Hope this helped.