Use Azure Disk Encryption#
Security · Virtual Machine · Rule · 2020_06 · Important
Use Azure Disk Encryption (ADE).
Description#
Virtual machines (VMs) can be encrypted using ADE to protect disks with full disk encryption. Storage Service Encryption (SSE) is encryption as rest for Managed Disks and Storage Accounts. SSE automatically decrypts storage as it is read. Full disk encryption varies from SSE by decrypting disks on read within the operating system.
ADE protects disk decryption keys within Key Vault.
Recommendation#
Consider using Azure Disk Encryption (ADE) to protect VM disks from being downloaded and accessed offline.
Links#
- Data encryption in Azure
- Creating and configuring a key vault for Azure Disk Encryption
- Azure Disk Encryption scenarios on Windows VMs