cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Encryption in Az - Confusion

marekatai
Copper Contributor

‎Jul 11 2020 02:35 PM - last edited on ‎May 24 2021 03:26 PM by

‎Jul 11 2020 02:35 PM - last edited on ‎May 24 2021 03:26 PM by

Encryption in Az - Confusion

Hi everyone. I did not know how to answer these questions so maybe some of you have experiences with encryption.

 

1. The wording is quite difficult. Is Service-side enryption = Storage Service Encryption? Both use the SSE. 

2. In the constraints i saw "Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.". Why that? As i know, SSE with CMK and ADE are not same things, right?

3. The abbreviation KEK is confusing. I thought that's what is used in SSE (the CMK) respectively during ADE (when I add a key to the key vault and use it for the disk encryption). Now i saw there is in premium key vault the option "KEK for BYOK". Whats the difference, what is the KEK now? For what do i need that KEK for BYOK if i already have my KEK as i added key in key vault?

 

4. It is recommended to use a key in key vault for ADE?

 

Kind regards

1,651 Views
1 Like
1 Reply
Reply
1 Reply
deepakmishra

‎Aug 15 2020 03:54 AM

‎Aug 15 2020 03:54 AM

Re: Encryption in Az - Confusion

@marekatai Great questions. I have similar questions on SSE and ADE. I will try my best to give my thoughts this.

 

1. The wording is quite difficult. Is Service-side enryption = Storage Service Encryption? Both use the SSE.
-> It is confusing. And for the SSE referred to here, both are correct.

Service-side encryption is anything that Azure does to encrypt the disk. Azure is taking care of the encryption technology as opposed to us taking care of it which would be client-side encryption. 

The way in which Azure does Service-side encryption(SSE)is through Storage Service Encryption(SSE).

 

2. In the constraints i saw "Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.". Why that? As i know, SSE with CMK and ADE are not same things, right?
-> Big debate, for me at least. Which is better - ADE or SSE. They are definitely different things.

SSE happens at the storage account level. SSE+CMK just means that you can bring your own key to encryption the platform keys.
ADE happens at OS disk level. You can have KEK for ADE as well.
This link can help - https://www.sanganakauthority.com/2020/01/azure-vm-disk-encryption-storage-side.html

3. The abbreviation KEK is confusing. I thought that's what is used in SSE (the CMK) respectively during ADE (when I add a key to the key vault and use it for the disk encryption). Now i saw there is in premium key vault the option "KEK for BYOK". Whats the difference, what is the KEK now? For what do i need that KEK for BYOK if i already have my KEK as i added key in key vault?
-> This scenario helps with bringing your own keys for added security and compliance considerations.
https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok


4. It is recommended to use a key in key vault for ADE?
-> I'll tell you what I've been hearing - 'Depends on your use case'. It really does. If you're from, Security, you'll probably have to define when to use SSE or ADE. If you're a dev or architect, you should be aware that these things exist, how they work and help explain this.
In terms of whether the key is secure in Key Vault, I think so. The scenarios where it wouldn't be safe are unimaginably thin.


Hope this helped.

 

0 Likes
Reply