User Profile
deepakmishra
Copper Contributor
Joined Apr 16, 2020
User Widgets
Recent Discussions
Re: Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE)
egodigitus Haha - this is insane. I found the video 2 days ago and this clarified the questions I had a year ago. Still cant believe the video was posted 6 months ago and I missed it. John is the man!!! Encryption at Host should covers most of the qualms around Disk Encryption. However, it doesn't address someone with the right permissions copying a VHD. This remains addressed only by ADE. This can be resolved through creating a custom role that doesn't allow most users to export the VHD.14KViews1like0CommentsAzure Disk Encryption(ADE) vs Storage Side Encryption(SSE)
Wanted to pick everyone's brain on Azure Disk Encryption(ADE) vs Storage Side Encryption(SSE). ADE vs SSE is a burning topic at work for me right now as we are trying to define what our standards should be. SSE + CMK was launched in April 2020 which is said to be an improvement on ADE but Azure Security Center still flags you if you don't have ADE. Also, MS came out with two news types of Disk Encryption - Encryption at Host and Double Encryption. Encryption at Host is supposed to be better than ADE but is incompatible with ADE. There are not a lot of resources out there on this. I have scoured through whatever I could find. Would love to hear thoughts on ADE and SSE. Do you think SSE + CMK is better than ADE ?18KViews1like5CommentsRe: Encryption in Az - Confusion
marekatai Great questions. I have similar questions on SSE and ADE. I will try my best to give my thoughts this. 1. The wording is quite difficult. Is Service-side enryption = Storage Service Encryption? Both use the SSE. -> It is confusing. And for the SSE referred to here, both are correct. Service-side encryption is anything that Azure does to encrypt the disk. Azure is taking care of the encryption technology as opposed to us taking care of it which would be client-side encryption. The way in which Azure does Service-side encryption(SSE)is through Storage Service Encryption(SSE). 2. In the constraints i saw "Managed disks encrypted using customer-managed keys cannot also be encrypted with Azure Disk Encryption.". Why that? As i know, SSE with CMK and ADE are not same things, right? -> Big debate, for me at least. Which is better - ADE or SSE. They are definitely different things. SSE happens at the storage account level. SSE+CMK just means that you can bring your own key to encryption the platform keys. ADE happens at OS disk level. You can have KEK for ADE as well. This link can help - https://www.sanganakauthority.com/2020/01/azure-vm-disk-encryption-storage-side.html 3. The abbreviation KEK is confusing. I thought that's what is used in SSE (the CMK) respectively during ADE (when I add a key to the key vault and use it for the disk encryption). Now i saw there is in premium key vault the option "KEK for BYOK". Whats the difference, what is the KEK now? For what do i need that KEK for BYOK if i already have my KEK as i added key in key vault? -> This scenario helps with bringing your own keys for added security and compliance considerations. https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok 4. It is recommended to use a key in key vault for ADE? -> I'll tell you what I've been hearing - 'Depends on your use case'. It really does. If you're from, Security, you'll probably have to define when to use SSE or ADE. If you're a dev or architect, you should be aware that these things exist, how they work and help explain this. In terms of whether the key is secure in Key Vault, I think so. The scenarios where it wouldn't be safe are unimaginably thin. Hope this helped.1.9KViews0likes0Comments
Recent Blog Articles
No content to show