Difference between ADE and SSE RRS feed

All replies

  • Azure Disk Encryption

    Storage Service Encryption

    1. Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs).

    1. SSE is enabled for all storage accounts and cannot be disabled. SSE automatically encrypts your data when writing it to Azure Storage. When you read data from Azure Storage, it is decrypted by Azure Storage before being returned. SSE enables you to secure your data without having to modify code or add code to any applications.

    2.  It is also integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, and ensures that all data on the VM disks are encrypted at rest while in Azure storage. Azure Disk Encryption for Windows and Linux VMs is in General Availability in all Azure public regions and Azure Government regions for Standard VMs and VMs with Azure Premium Storage.

    2. SSE automatically encrypts data in all performance tiers (Standard and Premium), all deployment models (Azure Resource Manager and Classic), and all of the Azure Storage services (Blob, Queue, Table, and File).

    3. When you enable and deploy Azure Disk Encryption for Azure VMs, you can configure the following capabilities to be enabled:

    Encrypting the OS volume to protect the boot volume at rest in your storage.

    Encrypting data volumes to protect the data volumes at rest in your storage.

    Disabling encryption on the OS and data drives for Windows VMs.

    Disabling encryption on the data drives for Linux VMs (only when the OS drive isn't encrypted).

    Safeguarding the encryption keys and secrets in your Azure Key Vault subscription.

    Reporting the encryption status of the encrypted VM.

    Removing the disk encryption configuration settings from the VM.

    Backing up and restoring the encrypted VMs by using the Azure Backup service

    1. With Azure Storage encryption, all Azure Storage accounts and the resources they contain are encrypted, including the page blobs that back Azure virtual machine disks. Additionally, Azure virtual machine disks may be encrypted with Azure Disk Encryption. Azure Disk Encryption uses industry-standard BitLocker on Windows and DM-Crypt on Linux to provide operating system-based encryption solutions that are integrated with Azure Key Vault. Central to our strategy in ensuring protection of our customer’s data, we are taking security a step further, by enabling encryption by default using Microsoft Managed Keys for all data written to Azure services (Blob, File, Table and Queue storage), for all storage accounts (Azure Resource Manager and Classic storage accounts), both new and existing. SSE for managed disks, including import scenario, will also be supported. To learn more, visit the managed disks & SSE FAQ.

    Storage Service Encryption (SSE)

    • SSE is managed by Azure Storage. SSE does not provide for the security of the data in transit, but it does encrypt the data as it is written to Azure Storage. SSE does not affect Azure Storage performance.
    • You can encrypt any kind of data of the storage account using SSE (block blobs, append blobs, page blobs, table data, queue data, and files).
    • If you have an archive or library of VHD files that you use as a basis for creating new virtual machines, you can create a new storage account and then upload the VHD files to that account. Those VHD files will be encrypted by Azure Storage.
    • If you have Azure Disk Encryption enabled for the disks in a VM, then any newly written data is encrypted both by SSE and by Azure Disk Encryption.

    Azure Disk Encryption: IaaS VMs and their VHD files

    • For data disks used by IaaS VMs, Azure Disk Encryption is recommended. If you create a VM with unmanaged disks using an image from the Azure Marketplace, Azure performs a shallow copy of the image to your storage account in Azure Storage, and it is not encrypted even if you have SSE enabled. After it creates the VM and starts updating the image, SSE will start encrypting the data. For this reason, it's best to use Azure Disk Encryption on VMs with unmanaged disks created from images in the Azure Marketplace if you want them fully encrypted. If you create a VM with Managed Disks, SSE encrypts all the data by default using platform managed keys.
    • If you bring a pre-encrypted VM into Azure from on-premises, you will be able to upload the encryption keys to Azure Key Vault, and continue using the encryption for that VM that you were using on-premises. Azure Disk Encryption is enabled to handle this scenario.
    • If you have non-encrypted VHD from on-premises, you can upload it into the gallery as a custom image and provision a VM from it. If you do this using the Resource Manager templates, you can ask it to turn on Azure Disk Encryption when it boots up the VM.
    • When you add a data disk and mount it on the VM, you can turn on Azure Disk Encryption on that data disk. It will encrypt that data disk locally first, and then the classic deployment model layer will do a lazy write against storage so the storage content is encrypted.

    The following workflow is recommended to have the best results on Azure disk encryption workflow for Linux:

    1. Start from the unmodified stock gallery image corresponding to the needed OS distro and version
    2. Back up any mounted drives that will be encrypted. This back up allows for recovery if there's a failure, for example if the VM is rebooted before encryption has completed.
    3. Encrypt (can take several hours or even days depending on VM characteristics and size of any attached data disks)
    4. Customize, and add software to the image as needed.

    If this workflow isn't possible, relying on Storage Service Encryption (SSE) at the platform storage account layer may be an alternative to full disk encryption using dm-crypt.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Thursday, September 26, 2019 8:55 AM
  • @Mitch Weiss Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Friday, September 27, 2019 8:26 AM
  • @Mitch Weiss Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Monday, September 30, 2019 5:57 AM
  • If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Monday, September 30, 2019 1:18 PM