What are the cons of Azure Disk Encryption?

Question

Before implementing ADE, i want to know its cons/limitations. Please help with the details

Answer 1

Keys will be stored in key vault. Have to perform some extra steps while recovering the data.

Answer 2

• Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

Azure disk encryption for Windows and Linux IaaS VMs is now in General Availability in all Azure public regions and AzureGov regions for Standard VMs and VMs with premium storage.

• There's no charge for encrypting VM disks with Azure Disk Encryption, but there are charges associated with the use of Azure Key Vault. For more information on Azure Key Vault costs, see the Key Vault pricing page.
• Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, and Azure CLI. The different user experiences give you flexibility. You have three different options for enabling disk encryption for your VMs. For more information on the user experience and step-by-step guidance available in Azure Disk Encryption, see Azure Disk Encryption scenarios for Windows.
• You can encrypt both boot and data volumes, but you can't encrypt the data without first encrypting the OS volume.
• List item
• Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk with a customer-managed key.
• If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption.
• If your requirements include encrypting only data at rest with customer-managed key, then use Server-side encryption with customer-managed keys. You cannot encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.
• If you are using a scenario called out in unsupported scenarios for Windows, consider Server-side encryption with customer-managed keys.
• If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service.
• Azure Backup provides a mechanism to backup and restore encrypted VM's within the same subscription and region. For instructions, please see Back up and restore encrypted virtual machines with Azure Backup. Restoring an encrypted VM to a different region is not currently supported.
• Azure Disk Encryption is also available for VMs with premium storage. Azure Disk Encryption is not available on Generation 2 VMs. For more exceptions, see Azure Disk Encryption: Unsupported scenarios. Azure Disk Encryption is not available on VM images without temp disks (Dv4, Dsv4, Ev4, and Esv4). See Azure VM sizes with no local temporary disk.

Terminology

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

------------------------------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.