why do we need VM encryption if storage accounts are encrypted RRS feed

  • Question

  • If the storage accounts are encrypted, why do we need an additional layer of VM disk encryption? I am sure there may be reasons, I am really interested in knowing those reasons.
    Thursday, June 13, 2019 4:38 PM


  • ADE encrypts vhd files only. SSE encrypts anything that is placed in Azure storage (at least all supported storage types). That means that for VM, you could potentially use both ADE and SSE on the same vhd files.

    With Azure Storage Service Encryption (SSE), your data is just encrypted.

    Azure Disk Encryption (ADE) encrypts both your OS and Data disks for IaaS VMs.

    You may also refer to the suggestion mentioned in this link .

    Encrypted at rest refers to the physical disk in the data center. So if someone were to take that disk physically from the data center the data would be encrypted. However, this does not apply to the data when it is being requested by the VM or when used in the portal.

    For example, if you have a VM that is not encrypted via ADE but is only encrypted at rest you could take the VHD of that VM and mount it to another machine in Azure. Once mounted you could browse freely the data. This is because the data is unencrypted when you are request it over the network.

    If you enable encryption via Azure Disk Encryption you could take the same scenario however when you go to browse the data after attaching the disk to another VM you would not be able it. As when you click on it there would be a requirement to unlock the drive.

    Kindly let us know if the above helps or you need further assistance on this issue.
    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members

    Thursday, June 13, 2019 5:32 PM