locked
Is Azure Cloud Service Local Storage encrypted? RRS feed

  • Question

  • Is Azure Cloud Service Local Storage encrypted?

    I would like to utilize Local Storage for my worker role as a scratch disk for image manipulation. I'm currently using an encrypted Azure file share, but the performance isn't great. I'm concerned that if I start using Local Storage my data may not be encrypted at rest. I haven't been able to find definitive information about encryption and Local Storage.

    Microsoft clearly allows blob and file services to encrypt data using Storage Service Encryption (SSE) and its trivial to enable this via the Azure Portal.

    When configuring local storage in the cloud service definition I don't see any options related to encryption. There's also no mention of Local Storage in the Azure data at rest white paper.

    It looks like Azure Disk Encryption supports encrypting both OS and data drives, but again, I didn't see any mention of Local Storage or PaaS in the Azure Disk Encryption page.

    Thursday, August 17, 2017 6:21 PM

Answers

  • The disk encryption feature is currently in Preview for PAAS v2 i.e VMScaleSet but this isn’t supported for V1 services in old Paas Services.

    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Saturday, August 19, 2017 2:16 PM

All replies

  • Scratch disk doesn’t use azure storage.

    You may refer to the Understanding the temporary drive on Windows Azure Virtual Machines

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, August 17, 2017 6:45 PM
  • Sumanth, I think you misunderstood my problem statement.  I would like to use cloud service local storage as a temporary drive (aka scratch disk) for my worker role performing image manipulation.  Utilizing local storage for this is fairly trivial.  However, the images I am manipulating may be protected health information ("PHI") and so the data must be encrypted at rest.  The link you provided makes no mention of encryption. 


    Thursday, August 17, 2017 6:55 PM
  • Hi Micheal

    So, make sure your data is in Azure Storage and then go to Storage Account portal (Not Disk portal).Then you will see the Encryption.

    SSE is used to encrypt data in Azure Blob storage. The Azure Disk Encryption is used to encrypt OS and Data disks in IaaS VMs. And you can see the detail about Comparison of Azure Disk Encryption, SSE, and Client-Side Encryption

    More about Azure Storage Service Encryption for Data at Rest refer to this link:

    Azure Storage Service Encryption for Data at Rest




    • Proposed as answer by Wayne.Yang Friday, August 18, 2017 6:19 AM
    • Edited by Wayne.Yang Friday, August 18, 2017 6:23 AM
    • Unproposed as answer by Michael.Richards Friday, August 18, 2017 12:33 PM
    Friday, August 18, 2017 6:16 AM

  • Thanks Yang, those links do contain good information, but unless I'm badly misunderstanding something Cloud Service Local Storage is completely separate from Azure Storage accounts.  We are currently using a storage account to host with an encrypted file share.  However, the performance of this for high volume I/O such as image manipulation is quite poor.  

    Azure Cloud Services can be configured with Local Storage - this is a HDD or SSD attached the VM that Azure spins up to host your worker role or web role.  The Local Storage is not managed through the Azure portal it gets configured through the cloud service definition file.


    Friday, August 18, 2017 12:33 PM
  • Hi,

    scratch disks is the same as passthrough disks onprem, I don't believe that you can enable encryption in this case


    Cheers Christophe - Kindly click Mark as Answer on the post that helps you - www.cloudcrusader.com

    Friday, August 18, 2017 12:43 PM
  • The disk encryption feature is currently in Preview for PAAS v2 i.e VMScaleSet but this isn’t supported for V1 services in old Paas Services.

    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Saturday, August 19, 2017 2:16 PM