Encrypting Azure VMs using Azure Disk Encryption and Azure Key Vault

A while ago, when I was studying for the AZ-500 exam I spent a fair chunk of time understanding Azure Disk Encryption (ADE) and Server Side Encryption (SSE) so I figured I’d come back and write up explaining it and demonstrating it for those who might be in the same boat I was in!

Platform Managed Keys and Customer Managed Keys

There’s two types of encryption keys; platform-managed keys (PMK) and customer-managed keys (CMK).

With PMK’s, Azure manages the encryption keys. All data (disks, snapshots, images) is automatically encrypted at rest with PMKs.

Key differences between Azure Disk Encryption and Server Side Encryption

To put it simply, Server Side Encryption encrypts your disks at the storage account level, at rest. When you write data to the disk it is transmitted back to the underlying storage account unencrypted and is then encrypted at the storage account level.

Azure Disk Encryption encrypts your disks at the Azure hypervisor level using in-guest OS encryption such as BitLocker for Windows VMs and DM-Crypt for Linux VMs. The data is transmitted back to the underlying storage account encrypted. Essentially, ADE encrypts your data end-to-end whereas SSE only encrypts it at end.

Server Side Encryption is always enabled. You cannot turn it off as it’s a platform-level feature.

What one should I use?

I’m afraid the answer, as with a lot of Microsoft things is: “It depends.”

It depends on your organisations security and compliance requirements. If your organisation must ensure that all organisation data is encrypted at rest then SSE is suitable. If however, you must ensure that data is encrypted end-to-end, that it’s encrypted using your own encryption keys or that you can regularly rotate (change) the encryption keys then ADE will be what you need.

How do I setup SSE?

By doing absolutely nothing. Just create a VM and it’ll be done automatically by the Azure platform.

Here’s a screenshot of the disks of a VM encrypted with SSE only

Encrypting Azure VMs using Azure Disk Encryption and Azure Key Vault — Joe's Tech Space (2024)

FAQs

What type of encryption does Azure Disk Encryption provide for Azure Virtual Machines? ›

Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disks. Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All.

Read On ›

Can you enable Disk Encryption by using BitLocker and key Vault? ›

It uses the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Discover More Details ›

Which type of encryption is used for the Azure Linux VM disks select only one answer? ›

Azure Disk Encryption for Linux virtual machines (VMs) uses the DM-Crypt feature of Linux to provide full disk encryption of the OS disk and data disks.

Which Azure resource must be created first before encrypting virtual machine disks? ›

Which Azure resource must you create first? Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets.

See Details ›

How to encrypt a VM disk in Azure? ›

Encrypt the virtual machine

Under Encryption settings > Disks to encrypt, select OS and data disks. Under Encryption settings, choose Select a key vault and key for encryption. On the Select key from Azure Key Vault screen, select Create New.

Find Out More ›

What is the Azure policy for Disk Encryption? ›

Server-side encryption

Azure managed disks automatically encrypt your data by default when persisting it to the cloud. Server-side encryption protects your data and helps you meet your organizational security and compliance commitments.

Tell Me More ›

How to encrypt data using Azure key Vault? ›

Prerequisites.
Assign a role to your Microsoft Entra user.
Set up your project.
Set environment variable.
Add a key in Azure Key Vault.
Create key and key resolver instances.
Configure encryption options.
Configure client object to use client-side encryption.

More items...

Nov 15, 2022

Show Me More ›

What is the difference between Azure Disk Encryption and encryption at host? ›

Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, aren't encrypted through Azure Storage.

Explore More ›

What are the benefits of Azure Disk Encryption? ›

Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows.

Which key is used during the encryption process in Azure? ›

The keys used for Azure Data Encryption-at-Rest, for instance, are PMKs by default. Customer-managed keys (CMK), on the other hand, are keys read, created, deleted, updated, and/or administered by one or more customers. Keys stored in a customer-owned key vault or hardware security module (HSM) are CMKs.

Show Me More ›

What is VM Disk Encryption? ›

Encrypting the OS disk ensures that data remains inaccessible without the encryption key, deterring unauthorized access even if the disk is stolen. It adds an additional layer of security by preventing unauthorized access to data even if someone gains access to the VM through RDP.

Read The Full Story ›

What are the different types of Disk Encryption? ›

There are two main computer encryption types: full disk encryption and file-level encryption. Full Disk Encryption (FDE) or whole disk encryption protects the entire volume and all files on the drive against unauthorized access.

See Details ›

Which of the following Azure services supports Azure Disk Encryption for your Virtual Machines? ›

Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines running Windows. This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets in your key vault subscription.

Get More Info Here ›

How do I secure my Azure virtual machine? ›

Help protect your virtual machines from viruses and malware

Use antimalware software from major security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to help protect your virtual machines from malicious files, adware, and other threats.

What is the most secure way to connect to Azure VM? ›

A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389.

What Azure type of encryption is used for the Azure Linux VM disks? ›

Azure Disk Encryption for Linux VMs uses the dm-crypt feature of Linux to provide full disk encryption of the OS disk* and data disks. Additionally, it provides encryption of the temporary disk when using the EncryptFormatAll feature.

View Details ›

What type of encryption does Azure files use? ›

All data stored in Azure Files is encrypted at rest using Azure storage service encryption (SSE).

Which of the following Azure services supports Azure Disk Encryption for your virtual machines? ›

Learn More ›

Encrypting Azure VMs using Azure Disk Encryption and Azure Key Vault — Joe's Tech Space (2024)

Platform Managed Keys and Customer Managed Keys

Key differences between Azure Disk Encryption and Server Side Encryption

What one should I use?

How do I setup SSE?

FAQs

What type of encryption does Azure Disk Encryption provide for Azure Virtual Machines? ›

What is VM Disk Encryption? ›