Does Batch use encrypted local storage? RRS feed

  • Question

  • I couldn't find any information in documentation or by Googling, so I'm asking here:

    Are the Batch node disks (where the OS is and the job/task data is stored) encrypted? If someone would break into the datacenter and steal a disk, would he see plain text or just encrypted nonsense?

    Thanks for clarifying

    Monday, April 24, 2017 11:35 AM

All replies

  • Hi Maik,

    CloudServiceConfiguration compute nodes use Classic Cloud Service (PaaS) worker roles, so no, they are not encrypted.

    VirtualMachineConfiguration compute nodes do not encrypt the OS disk by default as well. However, if you are using a User Subscription Batch Account, you should be able to use Azure Disk Encryption on the Batch VMs. Additionally, right now since custom image support uses page blob VHDs directly, you can enable SSE on the storage accounts hosting the page blob VHDs (however please be aware of issues surrounding SSE and managed disks).



    Wednesday, May 3, 2017 5:04 PM
  • However, if you are using a User Subscription Batch Account, you should be able to use Azure Disk Encryption on the Batch VMs.

    Hi Fred,

    Can you expand on that point? How exactly do you enable encryption when using the User Subscription mode?

    In general, I'd like to keep using the Batch service mode however, as it doesn't pollute the subscription with all the VM resources and groups. Is there any advantage using the User Subscription mode?


    Monday, May 8, 2017 8:21 AM
  • Hi Maik,

    There are two ways to enable this with User Subscription mode:

    1. Bring your own custom image. Enable Storage Service Encryption (SSE) on the storage accounts hosting your page blob VHDs *prior* to compute pool allocation (or even prior to VHD creation so it applies to the base VHD as well). Note that managed disks is currently not supported with SSE so you need to take care with this interaction if you are also using managed disks. This is probably the easiest path forward if you need to ensure that the OS disk is encrypted.
    2. With a marketplace image (platform), there are two ways to do this, both of which are not the easiest to deploy or manage (deploying the Azure Disk Encryption extension or enabling SSE manually on the storage accounts used by the pools).

    Also I just wanted to correct your original post that Azure Batch job and task data is not stored on the OS disk. That data is stored on the temporary ephemeral disk local to the node.



    Wednesday, May 10, 2017 3:47 PM
  • OK, so in summary, there is no simple way to enable encryption if you want to use a standard marketplace image. I have the feeling that it would be an easy thing to integrate into the Batch service itself, exposed via a simple check box. Is that a planned feature, and if not, can that be put on the roadmap?
    Saturday, May 13, 2017 2:06 PM