locked
encryption of VM disks RRS feed

  • Question

  • Hi - I know that Azure storage accounts are encrypted by default, using Microsoft managed keys... but it seems that, for example, Azure Standard HDD disks are not encrypted by default... which is fair enough... and I know that the term "HDD" doesn't apply to any one specific spindle (i.e. the physical storage is RAID'd and pooled etc) but what happens when any one single spindle at the bottom layer does fail and gets sent off for repair or disposal... my question is this... at the moment that any given failed HDD is removed from a storage array... then if said HDD did actually contain any stripes from my "unencrypted" virtual Azure "Standard HDD" service... then would that actual data stripe still be unencrypted on the failed physical HDD that was physically removed from the underlying storage array ?

    Thank you.

    Thursday, August 1, 2019 8:30 AM

Answers

  • If I've read your post correctly you're questioning about the physical security of HDD's. Please refer to Azure Fundamentals - Physical Security, more specific: Data Bearing Devices and Equipment Disposal.

    Data bearing devices

    Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped, we use a destruction process that destroys it and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction.

    Equipment disposal

    Upon a system's end-of-life, Microsoft operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing your data is not made available to untrusted parties. We use a secure erase approach for hard drives that support it. For hard drives that can’t be wiped, we use a destruction process that destroys the drive and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction. All Azure services use approved media storage and disposal management services.

    Hope this answers your concern.

    Thursday, August 1, 2019 9:04 AM

All replies

  • If I've read your post correctly you're questioning about the physical security of HDD's. Please refer to Azure Fundamentals - Physical Security, more specific: Data Bearing Devices and Equipment Disposal.

    Data bearing devices

    Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped, we use a destruction process that destroys it and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction.

    Equipment disposal

    Upon a system's end-of-life, Microsoft operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing your data is not made available to untrusted parties. We use a secure erase approach for hard drives that support it. For hard drives that can’t be wiped, we use a destruction process that destroys the drive and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction. All Azure services use approved media storage and disposal management services.

    Hope this answers your concern.

    Thursday, August 1, 2019 9:04 AM
  • Ok - instead of a physical question... maybe all I need to know is how the data is managed at a service layer - e.g. government standards etc.
    Thursday, August 1, 2019 9:36 AM
  • That ticks all the boxes.  Thank you.
    • Proposed as answer by ITPROGUIDE Thursday, August 1, 2019 1:28 PM
    • Unproposed as answer by ITPROGUIDE Thursday, August 1, 2019 1:28 PM
    Thursday, August 1, 2019 1:26 PM
  • Adding more information to the above query: Microsoft uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

    Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Microsoft cloud services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. This combination makes it difficult for someone to intercept and access data that is in transit.

    If am correct you are looking, How does Azure encrypt data works? If am wrong please correct me?  

    Manage keys are maintained by Microsoft.

    Disclaimer: This response contains a reference to a third party World Wide Web site. 

    Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. 

    ADE:

    Basically, if any data is put on an encrypted drive, that data would automatically become encrypted. With ADE specifically, if you encrypted your data disk or OS disk and attach it to unencrypted VM, you will have to unlock that drive before accessing it. The unlock process requires key vault access and certain user permissions.

     

    Using that unencrypted VM with the encrypted drive. If unencrypted data was copied to the encrypted drive, then that unencrypted data will then be encrypted automatically.

    SSE:

    Azure Storage provides a comprehensive set of security capabilities that together enable developers to build secure applications: Azure Storage Security Guide

    This article describes best practices for data security and encryption.

    For detailed information on Azure Storage encryption for data at rest you may refer to this article.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue. 
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Friday, August 2, 2019 5:15 AM
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Wednesday, August 7, 2019 5:43 AM
  •  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Thursday, August 8, 2019 7:39 AM
  • @Gijs Kerstens Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Monday, August 26, 2019 5:41 AM
  • I think you're a bit confused in relation to this topic. sdo123 already stated he got the information he needed.

    ---On the road to MVP---

    Monday, August 26, 2019 7:40 AM