Is SSE with PMK equivalent to full disk encryption?

Rosenthal, Murray 0

KarishmaTiwari-MSFT 18,527 Reputation points Microsoft Employee

2024-04-04T22:00:46.4633333+00:00

I've been struggling with this issue for a while now and the setup still isn't working. Despite following all the provided instructions and troubleshooting steps, I'm at a standstill. This is quite urgent!!
Rosenthal, Murray 0 Reputation points

2024-04-04T22:12:12.5233333+00:00

I asked for an AI response to my question which is attached to this thread; however, I am looking for confirmation from a MS Azure documentation/specification source. The references generated by the AI engine that I reviewed do not specifically answer my question. I need a yes/no answer.

2 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Sumarigo-MSFT 43,801 Reputation points Microsoft Employee

2024-04-10T15:30:45.1033333+00:00

@Rosenthal, Murray Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

What you mean by Full disk encryption?

The use of SSE + PMK entails encryption at the managed disk level, but the temporary disk and cache for the disks are not encrypted. The managed disk itself is encrypted. If you are aiming to encrypt the entire data path, then you need to enable encryption at the host. With this, we can ensure that the entire virtual machine is encrypted, including the temporary and cache.

Additional information

SSE with PMK (Server-Side Encryption with Customer-Provided Keys) is a method of encrypting data at rest in Azure Storage using a customer-provided encryption key. SSE with PMK encrypts the data at the server-side before it is written to disk, and the encryption key is managed by the customer.

While SSE with PMK provides a high level of security for data at rest, it is not equivalent to full disk encryption. Full disk encryption is a method of encrypting an entire disk or volume, including the operating system and all data stored on the disk. Full disk encryption provides a higher level of security than SSE with PMK because it encrypts the entire disk, including the operating system and all data stored on the disk.

SSE with PMK is a good option for encrypting data at rest in Azure Storage, but it is important to note that it only encrypts the data stored in Azure Storage and not the entire disk or volume. If you require full disk encryption, you may need to use a different encryption method, such as BitLocker for Windows or FileVault for macOS.

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Rosenthal, Murray 0 Reputation points

2024-04-10T16:24:22.43+00:00

@Sumarigo-MSFT Thank you for turning your attention to my question. I appreciate the detail provided, and have some follow-on observations.

Above, you stated, "SSE with PMK (Server-Side Encryption with Customer-Provided Keys) is a method of encrypting data at rest in Azure Storage using a customer-provided encryption key." You mentioned Customer-Provided Key twice. Did you mean to say PMK?

Additionally, I read the following re: Azure Disk Encryption (ADE):

Is ADE Microsoft's equivalent of FDE?

Sumarigo-MSFT 43,801 Reputation points Microsoft Employee

2024-04-22T07:25:56.8866667+00:00

@Rosenthal, Murray Apologies for the delay response!

If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption.

If your requirements include encrypting only data at rest with customer-managed key, then use Server-side encryption with customer-managed keys. You can't encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.

If you're using a scenario called out in Restrictions, consider Server-side encryption with customer-managed keys.

If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service.

Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disks. Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All. The content flows encrypted from the VM to the Storage backend. Thereby, providing end-to-end encryption with a customer-managed key.

Azure Disk Encryption is Microsoft's equivalent of Full Disk Encryption. It helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

Additional information:

Azure Disk Encryption (ADE) is Microsoft's implementation of full disk encryption (FDE) specifically designed for virtual machines (VMs) running in the Azure cloud environment. While both ADE and traditional FDE solutions aim to protect data by encrypting the entire disk, they operate in different contexts.

ADE encrypts the operating system and data disks of Azure VMs to safeguard sensitive information stored on these disks. It integrates with Azure Key Vault to manage and protect encryption keys securely. By encrypting disks at the infrastructure level, ADE helps ensure data confidentiality and integrity, even if unauthorized individuals gain access to the underlying storage infrastructure.

Traditional FDE solutions, on the other hand, are designed for physical devices such as laptops, desktops, servers, and external storage devices. They encrypt the entire physical disk, including the operating system, applications, and data, to protect against unauthorized access in case of theft or loss.

SSE with PMK (Server-Side Encryption with Customer-Provided Keys) and Full Disk Encryption (FDE) are similar concepts, but they are used in different contexts and provide different levels of encryption.

SSE with PMK is a method of encrypting data at rest in Azure Storage using a customer-provided encryption key. With SSE with PMK, the data is encrypted on the server side using the customer-provided key, which is stored in Azure Key Vault. This provides an additional layer of security for the data, as the encryption key is not stored with the data itself.

FDE, on the other hand, is a method of encrypting the entire contents of a disk, including the operating system and data. FDE is typically used to protect data on laptops, desktops, and other devices that may be lost or stolen. With FDE, the encryption is performed on the client side, using a key that is stored on the device itself.

While SSE with PMK and FDE both provide encryption for data, they are used in different contexts and provide different levels of protection. SSE with PMK is typically used to protect data at rest in Azure Storage, while FDE is typically used to protect data on devices that may be lost or stolen.

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Rosenthal, Murray 0 Reputation points

2024-04-22T14:59:22.4366667+00:00

@Sumarigo-MSFT Thank you for your reply.

Following up to align on your use of "... using a customer-provided encryption key" below when explaining PMK. PMK refers to platform-managed keys administered by Microsoft on behalf of customers. Did you mean to write "platform" instead of "customer" as you started your remarks with "SSE with PMK"?

"SSE with PMK is a method of encrypting data at rest in Azure Storage using a customer-provided encryption key. With SSE with PMK, the data is encrypted on the server side using the customer-provided key, which is stored in Azure Key Vault. This provides an additional layer of security for the data, as the encryption key is not stored with the data itself."

If ADE is Microsoft's equivalent of FDE, and is encrypting OS disks and data disks alike, what is SSE with PMK protecting server-side: data at-rest only in Azure Storage?

Rosenthal, Murray 0 Reputation points

2024-04-22T16:21:12.64+00:00

@Sumarigo-MSFT Thank you for your reply.

If Microsoft's ADE is equivalent to FDE, and is encrypting OS disks and data disks, is SME with PMK encrypting data, and only data, in Azure Storage?

Sumarigo-MSFT 43,801 Reputation points Microsoft Employee

2024-04-25T17:15:03.4366667+00:00

@Rosenthal, Murray If Microsoft's ADE is equivalent to FDE, and is encrypting OS disks and data disks, is SME with PMK encrypting data, and only data, in Azure Storage?

In both scenarios the OS and data disks could be encrypted with ADE and SSE + CMK, the difference between both. The difference between the two lies in the layer of encryption, for ADE the encryption happen at OS layer where is using bitlocker for windows and crypt for Linux, with ADE the whole data including Temp disks & cache disk is encrypted and the DATA flows encrypted between compute and Storage.

SSE + CMK encrypts data stored on Azure managed disks, the encryption happen at disks layer, in this case the temp disks & cache is not encrypted and the data flow between compute and store is not encrypted.

In order to accomplish the whole DATA path encrypted using SSE + CMK it is necessary add the Encryption at Host feature, in this way ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters. By default the managed disks are encrypted with SSE + PMK (azure platform key) this is the default encryption in azure.

For more information , refer to this article: https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Rosenthal, Murray 0 Reputation points

2024-04-25T17:55:12.86+00:00

@Sumarigo-MSFT I received this today via email but cannot locate the corresponding entry in our thread. Can you please reproduce your complete answer? Thank you.

Sumarigo-MSFT 43,801 Reputation points Microsoft Employee

2024-04-29T06:27:08.82+00:00

@Rosenthal, Murray As mentioned above comments, please refer to the suggestion mentioned.

Additional information:
This table maybe helpful - focus on rows 2 - 4. https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview#comparison

Overview of managed disk encryption options - Azure Virtual Machines

Overview of managed disk encryption options

SSE does not protect temp disks, disk caches, or data between Compute and Disk Storage. Only Encryption at Host (HBE) or ADE provides this.

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Rosenthal, Murray 0 Reputation points

2024-05-02T13:36:10.24+00:00

@Sumarigo-MSFT Thank you for your latest reply. Appreciated.

Are you able to advise how long unencrypted data persists in temp disks and disk caches when SSE is used?
Sign in to comment