Azure Storage Service Encryption (SSE) Vs Azure Key Vault for encrypting data at rest


  • Hi All

    one quick question , we attached extra disk  to our VM and we have enabled option Azure Storage Service Encryption (SSE)  at the Premium storage account  of that disk . 
    the files placed in that disk are encrypt data at rest right  to fulfill organizational security and compliance commitments 
    or do we need to have key valut setup for that disk to encrypt data at rest on that disks



    Surendra Thota

    Friday, April 14, 2017 10:48 AM

All replies

  • The basic difference between these two encryption techniques i.e. Disk encryption and storage service encryption is that, disk encryption is used to directly encrypt the data on the disk used by VMs and storage service encryption ensures the encrypted data in storage accounts (Page, Block and Append blobs).

    Also, since Azure Storage Service Encryption is managed by Microsoft, meaning that you will not have any control over the encryption keys and its management however if you have already placed the data disk within storage account which has SSE enabled, the data in storage account will be encrypted.

    You can take a closer look at Azure storage security guide here and make appropriate choice based on your organizations compliance needs.

    Bhushan |

    Friday, April 14, 2017 12:14 PM