Has anybody enable azure encryption at host? What is the business impact of enabling this feature?

Question

question

MaheswararajuPalagiri-0570 asked May 10, '22 MaheswararajuPalagiri-0570 commented Jun 13, '22

Has anybody enable azure encryption at host? What is the business impact of enabling this feature?

Hello Everyone,

My requirement is to remediate one of the defender findings.

"Virtual Machines should encrypt temp disks and data flows between Compute and Storage resources"-- I believe this can be fixed by enabling azure encryption at host.

Can somebody please advise me what is the business impact of enabling this option in azure VMs?

Also I can see we can't perform azure disk encryption on disks that have enabled with VM encryption at host? so please advise me how does it effect there?

Looking forward for kind responses on this please.

Thank you.

azure-disk-encryption

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-05-10T23:36:10.557Z

SaiKishor-MSFT answered May 10, '22 MaheswararajuPalagiri-0570 commented May 11, '22

@MaheswararajuPalagiri-0570 Thank you for reaching out to Microsoft Q&A. I understand that you are having questions regarding encryption of Temp disks and data flows between compute and storage resources. Answering your questions below:

"Virtual Machines should encrypt temp disks and data flows between Compute and Storage resources"-- I believe this can be fixed by enabling azure encryption at host.

Azure Disk Encryption should help you with the above. Please refer to this thread that discusses a similar issue.

Can somebody please advise me what is the business impact of enabling this option in azure VMs?

Can you explain further, what business impact you referring to? Downtime, costs?

Also I can see we can't perform azure disk encryption on disks that have enabled with VM encryption at host? so please advise me how does it effect there?

When it comes to the effects, are you referring to the different ways the encryption is implemented?

With Encryption at Host, this is done at the Azure Server level, so the server that your VM is allocated to. Encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact your VM's performance. For more info.
Azure Disk Encryption (depending on your OS) leverages your VMs encryption features, such as BitLocker for Windows or DM Crypt for Linux, in order to provide volume encryption for the OS and data disks of the VM. For more info.

Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MaheswararajuPalagiri-0570 · May 11 at 07:01 AM

Hi @SaiKishor-MSFT,

Thank you very much for your kind response.

From the comparisons Image, I can understand that Azure disk encryption and azure encryption at host both will suffice the requirement of (Virtual Machines should encrypt temp disks and data flows between Compute and Storage resources).

However when we go with Azure disk encryption, does it impact the VM CPU performance? Because from the comparisons image it was unchecked. Please confirm on this point Sai.

With regards to business impact, yeah I was referring both any downtime or cost implications anything that happened after we enable the azure disk encryption/encryption at host.

Also help me understand, Is enabling the azure disk encryption will encrypt the temp disks, and caches because except from image i couldn't see the same details from any Microsoft reference articles.

Lastly please help me know if there is any azure policy to implement to govern this encryption automatically.

Once again I appreciated your kind response @SaiKishor-MSFT.

Kind regards,
Maheswara.

[1]: /answers/storage/attachments/200891-175638-image.png

0 ·

175638-image.png (43.0 KiB)

MaheswararajuPalagiri-0570 · May 11 at 12:16 PM

Also as per restrictions details it seems

Existing VMs must be deallocated and reallocated inorder to be encrypted. Does this mean we can't enable encryption at host without doing deallocation of the VM. If it is true, then we may expect some downtime right. Please correct me if i am wrong @SaiKishor-MSFT and @Sumarigo-MSFT

Looking forward to hearing from you.

Thank you,
Maheswara.

0 ·

Answer 2 · 2022-05-11T23:45:50.433Z

JamesTran-MSFT answered May 11, '22 MaheswararajuPalagiri-0570 commented May 12, '22

@MaheswararajuPalagiri-0570
Thank you for following up on this!

To help @SaiKishor-MSFT answer some of your questions:

When we go with Azure disk encryption, does it impact the VM CPU performance?

Azure Disk Encryption (ADE) should not impact the VM CPU performance, ADE only uses your VMs CPU for DM-Crypt (Linux) or BitLocker (Windows) to encrypt your OS and data disks. ADE also requires your VM to have more than 2 GB of memory. For more info.

What is the business impact of enabling this option in Azure VMs? Existing VMs must be deallocated and reallocated in order to be encrypted, does this mean we can't enable Encryption at Host without doing deallocation of the VM?

For Azure Disk Encryption, the downtime will be dependent on how much data is on your VMs OS disk, and how many data disks you plan to encrypt. For a more detailed explanation on downtime. There's also no charge for encrypting VM disks with Azure Disk Encryption, but there are charges associated with the use of Azure Key Vault. For more information see the Key Vault pricing page.
I'm not too familiar with Encryption at Host, but from our Enable end-to-end using encryption at host documentation, the downtime is the time it takes to deallocate/re-allocate(start) your VM (which is required). Unlike ADE, Encryption at Host doesn't need to wait for the VM to boot up and for the encryption feature to run (DM-Crypt or BitLocker), since encryption is done at the actual server level (VM Host).

Enabling azure disk encryption will encrypt the temp disks, and caches

Yes, enabling Azure Disk Encryption will encrypt the Temp Storage (disc), and when referring to the disc cache if that data is being stored on the VM within Temp Storage, it will be encrypted.

BitLocker (lock icon) encrypting the OS and Temp Storage of a VM:

Additional Links:
Server-side encryption versus Azure disk encryption
Azure Disk Encryption for Windows VMs
Azure Disk Encryption for Linux VMs

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

image.png (156.2 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MaheswararajuPalagiri-0570 · May 12 at 05:12 AM

Hi @JamesTran-MSFT,

Thank you so much for your response. Your responses are quite helpful James. Lastly kindly help me with below two queries.

1.For Azure Disk Encryption, the downtime will be dependent on how much data is on your VMs OS disk, and how many data disks you plan to encrypt.--- Based on the reference you have shared, I understand it depends on the size of OS disks and data disks that we are encrypting. Assume if it takes 30 minutes, does it mean during 30 minutes VM will be down or it will be functional and running remains as it is.

2.Please provide me if there is any policy with effect deny, to prevent any VM that is going to be deployed without enabling disk encryption/encryption at host from the compliance or governance stand point.

Note:- Just to avoid any business impact in client, From your personnel experience what would you advise me to go with with ADE or Encryption at host?

Looking forward to hear your kind response on above queries.

Thank you,
Maheswara.

0 ·

Answer 3 · 2022-05-17T00:19:35.76Z

JamesTran-MSFT answered May 17, '22 MaheswararajuPalagiri-0570 commented Jun 13, '22

@MaheswararajuPalagiri-0570
Thank you for following up on this and I apologize for the delayed response!

Assume if it takes 30 minutes, does that mean for 30 minutes the VM will be down, or will it be functional and running as is.

From my experience, your VM won't be down for the full 30 minutes. Usually, the VM will need to restart during the encryption process, but the downtime will be the time it takes for your VM to boot-up. During the encryption process, your VM will be running with BitLocker encrypting your drives.

Please provide me if there is any policy with effect deny, to prevent any VM that is going to be deployed without enabling disk encryption/encryption at host from the compliance or governance standpoint.

Azure Policy built-in definitions for Azure Virtual Machines:
OS and data disks should be encrypted with a customer-managed key
Virtual machines and virtual machine scale sets should have encryption at host enabled
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

· 5

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MaheswararajuPalagiri-0570 · May 17 at 01:54 AM

Dear @JamesTran-MSFT,

Thanks for your response.

From my experience, your VM won't be down for the full 30 minutes. Usually, the VM will need to restart during the encryption process, but the downtime will be the time it takes for your VM to boot-up. During the encryption process, your VM will be running with BitLocker encrypting your drives.------Please confirm is this behaviour expected incase of Linux as well? I understand you were referring to Windows vm bitlocker feature..Help me know is it same for Linux as well since I could see there were multiple restrictions incase of Linux vm.

Thank you so much for your kind support.

Looking forward to hearing from you.

Warm regards,
Maheswara

0 ·

JamesTran-MSFT MaheswararajuPalagiri-0570 · May 19 at 09:37 PM

@MaheswararajuPalagiri-0570
Thank you for following up on this!

I reached out to our Linux ADE SMEs and was told that the Linux VM will reboot a couple of times. However, you shouldn't login into the Linux VM if you are encrypting the OS, since that can break the OS encryption process.

If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 ·

JamesTran-MSFT JamesTran-MSFT · May 23 at 04:38 PM

@MaheswararajuPalagiri-0570
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 ·

Show more comments

MaheswararajuPalagiri-0570 · May 27 at 04:16 AM

Hi @JamesTran-MSFT ,

Thank you so much for your response. It was helpful.

0 ·

question