Securing your data on virtual machines with Azure Disk Encryption
Introduction
Your OS and data disks on your virtual machines are encrypted at rest by default, it is called Server-Side Encryption (SSE) and uses platform managed keys and there is no requirement of you to configure anything. However if you want to have more control over this there is something called Azure Disk Encryption (ADE).
ADE uses Bitlocker technology in Windows and DM-crypt in Linux to encrypt your OS and data disks and integrates with Azure Key vault to help you manage and control your disk encryption keys and secrets.
When reading about this you may also see things like BEK & KEK:
Bitlocker encryption key (BEK)
- Encrypts a disk at the first layer of security using Bitlocker, keys and secrets are managed in Azure Keyvault
Key encryption key (KEK)
- You can configure this if you want an additional layer ontop of your security keys. ADE uses that key to wrap the encryption secrets before writing to key vault, essentially you are encrypting your bitlocker key is the way I understand it
Other types of encryption in Azure
There is something called EncryptionAtHost which provides end-to-end encryption as it is taking place on the underlying host machine of your virtual server, the server hosting your virtual machine. Your OS and data disks are encrypted at rest but EncryptionAtHost ensures that data flow from your temp and cache disks (compute to storage flow) also is encrypted.
Temporary and ephermal disks (non-persistent disks) are encrypted at rest when you enable end-to-end encryption with platform or customer managed keys.
Azure Disk Encryption can't be enabled on disks that have encryption at host enabled so do not confuse ADE and end-to-end encryption as the same thing.
Configure Azure Disk Encryption on keyvault and enable encryption on VM
In the AZ CLI you can either create a new key vault or update an existing on to be compatible with ADE:
- New keyvault
az keyvault create --name "kvname" --resource-group "rgname" --location "<location>" --enabled-for-disk-encryption
- Existing keyvault
az keyvault update --name "kvname" --resource-group "rgname" --enabled-for-disk-encryption "true"
- Create a key encryption key (KEK) and encrypt your virtual machine:
az keyvault key create --name "keyName" --vault-name "kvname" --kty RSA --size 4096
az vm encryption enable -g "rgname" --name "vmname" --disk-encryption-keyvault "kvname" --key-encryption-key "keyName"
Note, the VM may need to restart.
Conclusion & Purpose of ADE
If my OS and data disks are encrypted out of the box when I created my virtual machine, why would I want to use ADE? Why use both?
It was one of the questions I was struggling with when researching this topic but I would summarize it as follows:
- ADE enables you to have full management and control of your encryption keys and secrets
- Enables audit of access to keys inside your Key Vault for compliance reasons
- Ensures encryption across data lifecycle. Encryption on backups, replication and migration of disks
There are probably more reasons but the ones above certainly convince me to use ADE on machines where I want to protect my data.
Reference



About me
