Disk encryption (ADE, encryption at host, confidential disk)
5 minutes
5 Questions
Azure provides multiple disk encryption options to protect data at rest for virtual machines and storage resources.
**Azure Disk Encryption (ADE)** uses BitLocker for Windows VMs and DM-Crypt for Linux VMs to encrypt OS and data disks. ADE integrates with Azure Key Vault to manage encryption keys …Azure provides multiple disk encryption options to protect data at rest for virtual machines and storage resources.
**Azure Disk Encryption (ADE)** uses BitLocker for Windows VMs and DM-Crypt for Linux VMs to encrypt OS and data disks. ADE integrates with Azure Key Vault to manage encryption keys and secrets. This solution encrypts the virtual hard disks, ensuring data remains protected even if the physical disk is compromised. ADE supports both managed and unmanaged disks and provides volume-level encryption.
**Encryption at Host** provides end-to-end encryption for your VM data. When enabled, encryption starts on the VM host itself, covering temporary disks, OS disk caches, and data disk caches. The data flows encrypted to the Azure Storage service where it remains encrypted at rest. This approach ensures that data is never stored unencrypted on the physical host infrastructure. Encryption at host uses platform-managed keys by default but supports customer-managed keys through Azure Key Vault.
**Confidential Disk Encryption** is designed for confidential computing scenarios where VMs use AMD SEV-SNP or Intel TDX technology. This encryption type binds disk encryption keys to the VM's Trusted Platform Module (TPM) and the protected VM content. The encryption keys are only accessible within the trusted execution environment, providing protection against privileged users, host administrators, and hypervisor-level threats. Confidential disk encryption ensures that the OS disk is encrypted with keys tied to hardware-based security features.
**Key Differences:**
- ADE operates at the guest OS level
- Encryption at host operates at the infrastructure level before data reaches storage
- Confidential disk encryption provides hardware-backed protection with TPM binding
Organizations often combine these encryption methods based on compliance requirements and threat models. All options integrate with Azure Key Vault for centralized key management and support both platform-managed and customer-managed keys for flexibility in security governance.
Disk Encryption Options in Azure: ADE, Encryption at Host, and Confidential Disk
Why Disk Encryption is Important
Disk encryption is a fundamental security control that protects data at rest on Azure virtual machines. If physical disks are stolen, lost, or improperly decommissioned, encryption ensures that unauthorized parties cannot read the data. Regulatory frameworks such as HIPAA, PCI-DSS, and GDPR often mandate encryption of sensitive data, making disk encryption essential for compliance.
What Are the Disk Encryption Options?
1. Azure Disk Encryption (ADE) Azure Disk Encryption uses BitLocker for Windows VMs and DM-Crypt for Linux VMs to encrypt OS and data disks. The encryption keys are stored and managed in Azure Key Vault, giving you control over your encryption keys. ADE encrypts data within the guest operating system layer.
2. Encryption at Host Encryption at host ensures that data is encrypted on the physical host server before it travels to Azure Storage. This provides end-to-end encryption covering temp disks, OS/data disk caches, and ensures data is encrypted throughout the entire flow. Unlike ADE, encryption happens at the infrastructure layer, not the guest OS.
3. Confidential Disk Encryption Confidential disk encryption is designed for confidential VMs and binds disk encryption keys to the virtual machine's TPM (Trusted Platform Module). This ensures that encrypted disks can only be decrypted by the specific confidential VM, providing protection against insider threats and enhanced isolation.
How These Encryption Methods Work
Azure Disk Encryption (ADE): - Integrates with Azure Key Vault for key management - Uses industry-standard BitLocker (Windows) or DM-Crypt (Linux) - Encrypts volumes at the OS level inside the VM - Supports both managed and unmanaged disks - Requires the VM to be running for encryption operations
Encryption at Host: - Enabled at the VM level through Azure Resource Manager - Encrypts data on the host before writing to storage - Covers temp disks and disk caches that ADE does not encrypt - Uses platform-managed keys or customer-managed keys - Works alongside Server-Side Encryption (SSE)
Confidential Disk Encryption: - Exclusive to confidential computing VMs (DCsv2, DCsv3 series) - Uses vTPM for key protection and attestation - Provides cryptographic proof that keys are bound to the VM - Protects against malicious hypervisor attacks - Ideal for highly sensitive workloads requiring hardware-based isolation
Key Differences Summary
| Feature | ADE | Encryption at Host | Confidential Disk | |---------|-----|-------------------|-------------------| | Encryption Layer | Guest OS | Infrastructure | Hardware TPM | | Temp Disk Coverage | No | Yes | Yes | | Cache Encryption | No | Yes | Yes | | Key Storage | Key Vault | Platform/CMK | vTPM | | VM Series Support | Most VMs | Most VMs | Confidential VMs only |
Exam Tips: Answering Questions on Disk Encryption
Tip 1: Know When to Choose Each Option - Choose ADE when you need guest-level encryption with Key Vault integration and control over encryption keys - Choose Encryption at Host when you need to encrypt temp disks and cache data, or when you want infrastructure-level encryption - Choose Confidential Disk when dealing with highly sensitive data requiring hardware-based security guarantees
Tip 2: Understand What Each Method Covers - ADE does NOT encrypt temp disks or cache by default - Encryption at Host covers temp disks, cache, and provides end-to-end encryption - Remember that SSE (Server-Side Encryption) is always enabled by default for managed disks
Tip 3: Key Management Scenarios - Questions about Key Vault integration typically point to ADE - Questions about platform-managed keys with infrastructure encryption point to Encryption at Host - Questions about TPM or hardware security modules with VMs point to Confidential Disk
Tip 4: Watch for Compliance Keywords - Scenarios mentioning defense against physical theft suggest ADE or SSE - Scenarios emphasizing protection from cloud provider access suggest Confidential Disk - Scenarios requiring complete encryption coverage suggest combining multiple methods
Tip 5: Remember Prerequisites - ADE requires Azure Key Vault with appropriate access policies - Encryption at Host requires enabling the feature on the subscription first - Confidential Disk requires specific VM SKUs (DCsv2, DCsv3, ECsv5)
Tip 6: Combination Scenarios - You CAN use Encryption at Host together with ADE for layered protection - SSE is always active in addition to other encryption methods - Confidential VMs have their own encryption model separate from standard VMs