![\"Disk](\"\/wp-content\/uploads\/2017\/10\/DiskEncryption.png\")
As of today, Microsoft has a few different ways of encrypting Azure data.\u00a0 \u00a0The options for Azure Data Encryption on servers include Storage Service Encryption and Azure Disk Encryption.\u00a0 Below is a quick summery of each.<\/p>\nAs of today, Microsoft has a few different ways of encrypting Azure data.\u00a0 \u00a0The options for Azure Data Encryption on servers include Storage Service Encryption and Azure Disk Encryption.\u00a0 Below is a quick summery of each.<\/p>\n
This is at the storage account level and encrypts data at rest.\u00a0 Encryption takes place as the data is written to storage and decrypted when it\u2019s read.<\/p>\n
Pros: Easiest to implement by selecting an option on the storage account.\u00a0 Satisfies the \u201cis data encrypted at rest\u201d requirement of most audits.\u00a0 Available on all types of storage in all regions.\u00a0 Enabled by default on new storage accounts.<\/p>\n
Cons: Data is decrypted before it\u2019s passed over the network (however, HTTPS or SMB 3.0 can be enforced to encrypted data in flight).\u00a0 Microsoft keys used by default.\u00a0 There is an option to use your own keys but they are stored in the Microsoft Key Vault (feature in preview, not GA).<\/p>\n
Virtual drive encryption, BitLocker on Windows or DM-Crypt on Linux.<\/p>\n
Pros: Generally Available.\u00a0 Virtual hard drives are unusable without the key.<\/p>\n
Cons: Keys are managed in the Microsoft Key Vault.\u00a0 More complicated to setup and adds extra steps to data recovery.\u00a0 Not supported on Basic tier VM\u2019s.<\/p>\n
*Please note, if you are using Azure Disk Encryption you must use the Key Encryption Key (KEK) method to encrypt the drives.\u00a0 You will not be able to backup servers unless you use KEK.<\/p>\n
The performance impact of SSE is inconsequential.\u00a0 Only new data written to the storage account is encrypted after enabling SSE.\u00a0 Is situations where all data needs to be encrypted, it will be necessary to create a new storage account with encryption enabled and copy the data to it.<\/p>\n
The only time you may consider disabling SSE is on storage accounts that house virtual disks encrypted with disk encryption.\u00a0 This would avoid double encryption.\u00a0 However, there is no downside to having encryption on the storage account that have encrypted disks.\u00a0 All new storage accounts now has SSE on by default and Microsoft has no recommendations to disable encryption in these scenarios.<\/p>\n","protected":false},"excerpt":{"rendered":"
As of today, Microsoft has a few different ways of encrypting Azure data.\u00a0 \u00a0The options for Azure Data Encryption on servers include Storage Service Encryption and Azure Disk Encryption.\u00a0 Below is a quick summery of each. Storage Service Encryption (SSE) This is at the storage account level and encrypts data at rest.\u00a0 Encryption takes place …<\/p>\n