none
Azure Disk Encryption vs Storage Service Encryption RRS feed

  • Question

  • Hi,

    I see there are already several posts on this topic but they don't seem to be very clear to me. The way I understand it, ADE is more like OS level encryption (software encryption?) while SSE is at storage level (hardware encryption). Is it correct? 

    My Security Center says my VM disks are not encrypted and should be encrypted with ADE, They are managed disks. Aren't they SSE-encrypted already? Or SSE only applies to other types of storage? 

    Hopefully someone can clear my questions. thank you.

    Monday, August 12, 2019 11:53 PM

All replies

  • Microsoft uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

    Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Microsoft cloud services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. This combination makes it difficult for someone to intercept and access data that is in transit.

    If am correct you are looking, How does Azure encrypt data works? If am wrong please correct me?  

    Manage keys are maintained by Microsoft.

    Disclaimer: This response contains a reference to a third party World Wide Web site. 

    Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. 

    ADE:

    Basically, if any data is put on an encrypted drive, that data would automatically become encrypted. With ADE specifically, if you encrypted your data disk or OS disk and attach it to unencrypted VM, you will have to unlock that drive before accessing it. The unlock process requires key vault access and certain user permissions.

     

    Using that unencrypted VM with the encrypted drive. If unencrypted data was copied to the encrypted drive, then that unencrypted data will then be encrypted automatically.

    SSE:

    Azure Storage provides a comprehensive set of security capabilities that together enable developers to build secure applications: Azure Storage Security Guide

    This article describes best practices for data security and encryption.

    For detailed information on Azure Storage encryption for data at rest you may refer to this article.

    If I've read your post correctly you're questioning about the physical security of HDD's. Please refer toAzure Fundamentals - Physical Security, more specific: Data Bearing Devices and Equipment Disposal.

    Data bearing devices

    Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped, we use a destruction process that destroys it and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction.

    Equipment disposal

    Upon a system's end-of-life, Microsoft operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing your data is not made available to untrusted parties. We use a secure erase approach for hard drives that support it. For hard drives that can’t be wiped, we use a destruction process that destroys the drive and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction. All Azure services use approved media storage and disposal management services.

    "My Security Center says my VM disks are not encrypted and should be encrypted with ADE, They are managed disks. Aren't they SSE-encrypted already? Or SSE only applies to other types of storage? "

    If you are using Storage Account Encryption, the Storage Account is encrypted when data is at rest. A VHD is not at rest when the VM is running, thus we have BIT LOCKER encryption for Windows, and there are solutions for Linux vms.

    So WITHOUT bit locker or OS level disk encryption, just like on prem vms, you can have a rogue admin steal that vhd and move it anywhere they like (imagine someone having a copy of your AD NT.DIT file) – Even on prem, if your SAN does native encryption, that doesn’t impact anyone taking that VHD and running away with it via a snapshot or file copy while the machine is running.

    Also, think about backup and restores. If I back up a storage account and the DESTINATION is not encrypted, if I am using OS level encryption, I am still protected.

    Bitlocker is at the OS level encrypting volumes for OS disks which is why it uses a touch of CPU when it is enabled. Because the VM itself is having to encrypt and decrypt the volumes it is accessing.

    -          If a disk is physically stolen and it is ADE encrypted, then you aren’t going to get anything from it unless you have credentials

    -          If a vhd file is leaked, then again you aren’t going to get anything without credentials

    SSE assuming it uses hardware encryptions entangled with the array that drive is in.

    -          If a disk is physically stolen, then you aren’t going to get anything because the key for hw encryption often contains information related to its array. No array, no key, no breaking in, even with admin account credentials

    -          If a vhd file is leaked, then you are a bit hosed because you decrypted the thing when you downloaded it. The VHD itself is not encrypted… the hardware device it is on is.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Tuesday, August 13, 2019 5:54 AM
    Moderator
  • Thanks for the info. However, my question is essentially is that: since managed disks has SSE enabled by default, is there any point adding ADE on top of the managed disks?

    Thanks,

    Tuesday, August 13, 2019 10:45 PM
  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Storage Service Encryption (SSE) - Now known as Azure Storage Encryption is enabled by default on storage accounts. This means, that all data within your storage account is encrypted at Rest. As stated within our public facing documentation "Azure Storage encryption is similar to BitLocker encryption on Windows", this doesn't mean it's the same.

    "Azure Storage Encryption is enabled for all new and existing storage accounts and cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage Encryption."

    In summary, Azure Disk Encryption (ADE) uses BitLocker to encrypt OS level drives, such as the OS disk and any added data disks. Storage Encryption only encrypts the storage account. It's up to the customer's security needs on whether they want to use ADE for OS level encryption or just continue to use storage encryption.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Thursday, August 22, 2019 4:34 AM
    Moderator
  • @AZLearner Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Friday, August 23, 2019 5:53 AM
    Moderator
  • @AZLearner Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Monday, August 26, 2019 7:02 AM
    Moderator
  • @AZLearner Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Thursday, August 29, 2019 5:57 AM
    Moderator
  • @AZLearner Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, September 25, 2019 2:30 PM
    Moderator