Why bother with Azure disk encryption (bit locker) when the storage is encrypted anyway
Azure disk encryption (ADE) vs Azure Storage service (SSE) encryption, which one?
I'm using managed disks in Azure which by default uses 256 encryption at rest. I've checked and my storage accounts are encrypted, Azure security center however advises me to double down and use bitlocker on the disks.
Here is my question. Can anyone provide a compelling reason why I would want to bother using bitlocker (ADE) on my Azure VMs when I already have 256 encryption on the storage side?
No general links to azure encryption please, I read them to death and cannot find one justification, other than, the VM with bitlocker will not boot if copied off and does not have access to the vault key.
Thanks all
I'm using managed disks in Azure which by default uses 256 encryption at rest. I've checked and my storage accounts are encrypted, Azure security center however advises me to double down and use bitlocker on the disks.
Here is my question. Can anyone provide a compelling reason why I would want to bother using bitlocker (ADE) on my Azure VMs when I already have 256 encryption on the storage side?
No general links to azure encryption please, I read them to death and cannot find one justification, other than, the VM with bitlocker will not boot if copied off and does not have access to the vault key.
Thanks all
David Johnson, CD
That is the reasoning. If any management account is compromised they can't copy off the virtual disk
They apply to different Azure services. ADE applies to IaaS VMs while Storage Encryption applies to Azure Storage, which generally refers to Cloud-Based SMB shares, backup storage, and other non-VM related storage functions. So the one to use depends on how you're using the storage you have.
ASKER
Thanks both.
@ David, what management account? The subscription owner do you mean?
@ Adam, so this was my way of thinking. It appears to me the security center recommendation pre-dates SSE by default and managed disks getting SSE by default as well.
Here's a question. If I can copy the VHD of a VM that has disk encryption (ADE), download it to my laptop. I can't mount the drive because I don't have access to the key?
@ David, what management account? The subscription owner do you mean?
@ Adam, so this was my way of thinking. It appears to me the security center recommendation pre-dates SSE by default and managed disks getting SSE by default as well.
Here's a question. If I can copy the VHD of a VM that has disk encryption (ADE), download it to my laptop. I can't mount the drive because I don't have access to the key?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
With Azure Storage Service Encryption (SSE), your data is just encrypted. While Azure Disk Encryption (ADE) encrypts both your OS and Data disks for IaaS VMs.
For the customer-encrypted VHD scenario, upload the encrypted VHD to your storage account and the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM otherwise you will not be able to see your volume.
Also grant access to the Azure platform to read the encryption key material (BitLocker encryption keys for Windows systems and Passphrase for Linux) from your key vault to enable encryption on the IaaS VM.
For the customer-encrypted VHD scenario, upload the encrypted VHD to your storage account and the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM otherwise you will not be able to see your volume.
Also grant access to the Azure platform to read the encryption key material (BitLocker encryption keys for Windows systems and Passphrase for Linux) from your key vault to enable encryption on the IaaS VM.
ASKER
Thank you