This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 19%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi Experts,
We are currently using managed disks on Azure which by default provides SSE with PMK.
The requirement is to have End to End encryption, hence we would be choosing Encryption at Host option.
Questions
I see its clearly mentioned that Azure disk encryption cannot be enabled along with Encryption at host .. what about SSE and Encryption at host ? can they run together ?
Regards
Srinidhi
Hi,
Both of your scenarios are supported.
"When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact your VM's performance."
I believe what changes here is that encryption is delivered by the virtual machine host instead of on the storage cluster where the data is at rest.
You can enable encryption at host at the time of deployment or later regardless of whether using SSE with PMK or SSE with CMK. ADE is not supported as you mentioned.
Hi Alan,
Thanks for answering the previous question.
We would be enabling Encryption at Host (end to end encryption) with CMK.
In this case will SSE +PMK (current setup) work along with the above ?
Or
Should key management type be same type ie --> Encryption at Host +CMK and SSE+CMK OR Encryption at Host + PMK and SSE +PMK ?
According to the docs - temp disks and ephemeral disks are always PMK but your OS and data disk caches will match the SSE key type of the disk, so they must both be the same, so either PMK or CMK - you can't mix the two for host and SSE encryption. So if you want to use a CMK then it will be: Encryption at Host +CMK and SSE+CMK
"Temporary disks and ephemeral OS disks are encrypted at rest with platform-managed keys when you enable end-to-end encryption. The OS and data disk caches are encrypted at rest with either customer-managed or platform-managed keys, depending on what you select as the disk encryption type. For example, if a disk is encrypted with customer-managed keys, then the cache for the disk is encrypted with customer-managed keys, and if a disk is encrypted with platform-managed keys then the cache for the disk is encrypted with platform-managed keys."
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal