Types of VM Disk Encryptions in Azure

 In Azure, you have three main options for encrypting your virtual machine (VM) disks:

  1. Server-Side Encryption (SSE): Encrypts your disks at the storage account level, at rest. Default, always enabled, can’t turn off.
  2. Azure Disk Encryption (ADE): Encrypts your disks at the VM OS level. Use BitLocker for Windows VMs and DM-Crypt for Linux VMs. Data encrypt during transit
  3. Encryption at Host (EAH): Encrypt your temporary disk and cache at the host. Doesn't use your VM's CPU and doesn't impact your VM's performance. Truly end-to-end encryption

Article content

  1. Server-Side Encryption (SSE):

  • Type: Transparent data encryption at rest.
  • Functionality: Encrypts your VM disks (OS and data) automatically when persisted on the Azure storage servers.
  • Key Management:Default: Uses platform-managed keys controlled by Microsoft. Optional: You can configure customer-managed keys stored in Azure Key Vault for greater control.
  • Benefits: Easiest to use with minimal configuration. Highly secure as encryption keys are not on the VMs.Supports both platform-managed and customer-managed keys.
  • Limitations: Doesn't encrypt temporary disks or disk caches. Not suitable for encrypting data in transit or while the VM is running.

Article content

  1. Azure Disk Encryption (ADE):

  • Type: Guest VM encryption.
  • Functionality: Leverages the built-in encryption features of the guest operating system (BitLocker for Windows, DM-Crypt for Linux) to encrypt disks within the VM itself.
  • Key Management: Requires customer-managed keys stored securely in Azure Key Vault.
  • Benefits: Provides more control over encryption with customer-managed keys. Potentially encrypts beyond disks depending on the guest OS encryption tool.
  • Limitations: More configuration and setup compared to SSE. May introduce slight performance overhead due to VM-side encryption/decryption. Not supported for VMs using Premium SSD v2 disks.

Article content

  1. Encryption at Host (EAH):

  • Type: Hypervisor-based encryption. (Note: EAH and ADE are mutually exclusive)
  • Functionality: The Azure Hypervisor intercepts disk writes from the VM and encrypts them before sending them to storage. Decryption happens similarly when data is read from storage.
  • Key Management: Uses platform-managed keys controlled by Microsoft.
  • Benefits: Provides strong encryption for data at rest and in transit.Offloads encryption/decryption tasks from the VM for potentially better performance compared to ADE.
  • Limitations: Not as widely supported as SSE or ADE. Limited to specific VM sizes and series. You cannot use ADE with EAH because both rely on encrypting the disks.

Article content

Choosing the Right Option:

  • For most scenarios, use SSE with platform-managed keys: It's simple, secure, and requires minimal configuration.
  • If you need maximum control over encryption keys or potentially want to encrypt additional VM components: Choose ADE with customer-managed keys.
  • For specific cases requiring encryption of temporary disks and considering the limitations: Explore EAH, but be aware of compatibility and cost factors.

Remember, the best choice depends on your specific security needs, desired level of control, and VM compatibility.

Comments

Post a Comment

Popular posts from this blog

Extend the Life of Windows Server 2012/2012 R2 with Azure Arc and SCCM Integration

  Challenge: Maintaining security for Windows Server 2012/2012 R2 after end-of-support by deploying Extended Security Updates (ESUs). Leveraging existing SCCM infrastructure for update deployment while simplifying ESU management. Solution: This approach combines the strengths of SCCM and Azure Arc to achieve a streamlined ESU deployment process for on-premises Windows servers. SCCM: Trusted Patch Management: SCCM remains your familiar tool for deploying updates, including ESUs, to your Windows servers. SCCM integrates well with WSUS for efficient update distribution. Azure Arc: Centralized ESU Management: Onboard eligible Windows servers (2012 & 2012 R2) to Azure Arc. Important: Update Azure Arc agent to version 1.34 or later for ESU support. Purchase and manage ESU licenses directly through Azure Arc (optional, simplifies licensing). Assign ESU licenses to your Azure Arc-enabled servers for simplified tracking. Workflow: Azure Arc manages ESU licensing and assignment. SCCM...
Read more

High Availability vs. Disaster Recovery in Cloud: Key Differences Explained

Image
What is the difference between HA & DR in Cloud?   Both High Availability (HA) and Disaster Recovery (DR) are important concepts in cloud computing that aim to keep your systems and data up and running. However, they address different scenarios and have distinct approaches. High Availability (HA) focuses on preventing downtime caused by isolated failures within the cloud system itself. This could include hardware malfunctions, software glitches, or network disruptions. HA achieves this by designing systems with redundancies, meaning there are backups in place to take over if a primary component fails. This can involve: Redundant servers: Having multiple servers running the same application, so if one fails, the others can pick up the load. Clustering: Grouping multiple servers so they act as a single unit. This allows for automatic failover to a healthy server if one goes down. Load balancing: Distributing traffic across multiple servers to prevent overloading any single se...
Read more

Understanding App Registration vs. Enterprise Application in Microsoft Entra ID

  In Microsoft Entra ID (formerly Azure Active Directory (AAD)) , both App registration and Enterprise application registration are essential components for configuring applications that interact with Azure services or other applications. They serve distinct purposes within the application setup process. App registration: Creates a globally unique application object, also known as an app registration. This object defines the core details of your application, such as its name and what it does. It also generates an application (client) ID used for identification. Think of it as the blueprint for your application. You perform app registration in the Azure portal under " App registrations ". Enterprise application registration (Service principal): Represents a specific instance of an application (created via app registration) within a particular  Microsoft Entra ID (formerly Azure Active Directory (AAD))  tenant (your organization's tenant). This creates a service p...
Read more