Encryption in Az - Confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-1516602%22%20slang%3D%22en-US%22%3EEncryption%20in%20Az%20-%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516602%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone.%20I%20did%20not%20know%20how%20to%20answer%20these%20questions%20so%20maybe%20some%20of%20you%20have%20experiences%20with%20encryption.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20The%20wording%20is%20quite%20difficult.%20Is%20Service-side%20enryption%20%3D%20Storage%20Service%20Encryption%3F%20Both%20use%20the%20SSE.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E2.%20In%20the%20constraints%20i%20saw%20%22%3CSPAN%3EManaged%20disks%20encrypted%20using%20customer-managed%20keys%20cannot%20also%20be%20encrypted%20with%20Azure%20Disk%20Encryption.%22.%20Why%20that%3F%20As%20i%20know%2C%20SSE%20with%20CMK%20and%20ADE%20are%20not%20same%20things%2C%20right%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20The%20abbreviation%20KEK%20is%20confusing.%20I%20thought%20that's%20what%20is%20used%20in%20SSE%20(the%20CMK)%20respectively%20during%20ADE%20(when%20I%20add%20a%20key%20to%20the%20key%20vault%20and%20use%20it%20for%20the%20disk%20encryption).%20Now%20i%20saw%20there%20is%20in%20premium%20key%20vault%20the%20option%20%22KEK%20for%20BYOK%22.%20Whats%20the%20difference%2C%20what%20is%20the%20KEK%20now%3F%20For%20what%20do%20i%20need%20that%20KEK%20for%20BYOK%20if%20i%20already%20have%20my%20KEK%20as%20i%20added%20key%20in%20key%20vault%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E4.%20It%20is%20recommended%20to%20use%20a%20key%20in%20key%20vault%20for%20ADE%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1516602%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKey%20Vault%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Frequent Visitor

Hi everyone. I did not know how to answer these questions so maybe some of you have experiences with encryption.

 

1. The wording is quite difficult. Is Service-side enryption = Storage Service Encryption? Both use the SSE. 

2. In the constraints i saw "Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.". Why that? As i know, SSE with CMK and ADE are not same things, right?

3. The abbreviation KEK is confusing. I thought that's what is used in SSE (the CMK) respectively during ADE (when I add a key to the key vault and use it for the disk encryption). Now i saw there is in premium key vault the option "KEK for BYOK". Whats the difference, what is the KEK now? For what do i need that KEK for BYOK if i already have my KEK as i added key in key vault?

 

4. It is recommended to use a key in key vault for ADE?

 

Kind regards

0 Replies