Deciding on Encryption at Rest for an Azure Virtual Machine

I have been getting more familiar with the encryption-at-rest capabilities in Azure for virtual machines (VMs). This post covers two options: Storage Service Encryption (SSE) and Disk Encryption.

Initially I opted for Storage Service Encryption due to its sheer simplicity. This is done by enabling encryption when you initially provision the storage account. After having set it up, I had proceeded onto other configuration items, one of which is setting up backups via the Azure Recovery Vault. Turns out that encrypted backups in the Recovery Vault are not (yet?) supported for VMs encrypted with only Storage Service Encryption (as of Feb 2017).

Next I decided to investigate Disk Encryption because it supports encrypted backups in the Recovery Vault. It's more complex to set up because you need a Service Principal in AAD, as well as Azure Key Vault integration. (More details on that in my next post.)

Here is a quick summary of the differentiators between Storage Service Encryption and Disk Encryption that I am aware of:

Storage Service Encryption

  • Controlled by storage account administrator
  • Encryption is enabled or not for all files within a storage account
  • Encrypts only newly written data after point in time that encryption is set (i.e., doesn't encrypt existing data)
  • Backups in Recovery Vault are not encrypted

Disk Encryption

  • Controlled by virtual machine owner
  • Encrypts operating system as well as the volumes (which are actually in Azure storage)
  • Offers more control - for example, if two VMs share one storage account, one VM could have disk encryption and the other not
  • Is a prerequisite for VMs backed up to the Recovery Vault to be encrypted <--the meaningful one for me

The documentation does state that both types of encryption can work together. However, if you enable Disk Encryption and Storage Service Encryption is already in place, then data will be encrypted twice. I opted not to do this.

What you want to see for your VM after disk enryption is enabled (you can click the Columns button to add the Disk Encryption column):

What you want to see in Azure Recovery Vault after disk encryption is enabled:

In my next post I'll share the PowerShell scripts I used for enabling Azure Disk Encryption + setting up the prerequisites for the Service Principal in AAD and Azure Key Vault integration.

You Might Also Like...

Setting up Azure Disk Encryption for a Virtual Machine with PowerShell

Setting Up a PC for Cortana Intelligence Suite Development

How to create a Demo/Test Environment for Azure Data Catalog