Overview of managed disk encryption options
There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host.
Azure Disk Storage Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption) is always enabled and automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters. When configured with a Disk Encryption Set (DES), it supports customer-managed keys as well. It doesn't encrypt temp disks or disk caches. For full details, see Server-side encryption of Azure Disk Storage.
Encryption at host is a Virtual Machine option that enhances Azure Disk Storage Server-Side Encryption to ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters. For full details, see Encryption at host - End-to-end encryption for your VM data.
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, with the option to encrypt with a key encryption key (KEK). For full details, see Azure Disk Encryption for Linux VMs or Azure Disk Encryption for Windows VMs.
Encryption is part of a layered approach to security and should be used with other recommendations to secure Virtual Machines and their disks. For full details, see Security recommendations for virtual machines in Azure and Restrict import/export access to managed disks.
Comparison
Here's a comparison of Disk Storage SSE, ADE, encryption at host, and Confidential disk encryption.
Azure Disk Storage Server-Side Encryption | Encryption at Host | Azure Disk Encryption | Confidential disk encryption (For the OS disk only) | |
---|---|---|---|---|
Encryption at rest (OS and data disks) | ✅ | ✅ | ✅ | ✅ |
Temp disk encryption | ❌ | ✅ Only supported with platform managed key | ✅ | ✅ |
Encryption of caches | ❌ | ✅ | ✅ | ✅ |
Data flows encrypted between Compute and Storage | ❌ | ✅ | ✅ | ✅ |
Customer control of keys | ✅ When configured with DES | ✅ When configured with DES | ✅ When configured with KEK | ✅ When configured with DES |
Does not use your VM's CPU | ✅ | ✅ | ❌ | ❌ |
Works for custom images | ✅ | ✅ | ❌ Does not work for custom Linux images | ✅ |
Enhanced Key Protection | ❌ | ❌ | ❌ | ✅ |
Microsoft Defender for Cloud disk encryption status* | Unhealthy | Healthy | Healthy | Not applicable |
Important
For Confidential disk encryption, Microsoft Defender for Cloud does not currently have a recommendation that is applicable.
* Microsoft Defender for Cloud has the following disk encryption recommendations:
- Virtual machines and virtual machine scale sets should have encryption at host enabled (Only detects Encryption at Host)
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (Only detects Azure Disk Encryption)