Don't understand an issue with Azure Disk Encryption

0
votes

My issue

I try to understand how VM Disk Encryption work on Azure VM. I have a Key Vault and a Disk Encryption set configured

What I did - 1

I create a VM with a disk selecting Encryption type = Encryption at rest with a custom managed key.

I select my Key Encryption set.

Portal confirms by displaying SSE with CMK in VM/Disks.

But:

Get-AzVMDiskEncryptionStatus says OS volume and DataVolumes are NotEncrypted.

enter image description here

What I did - 2

I create another VM, but this time I go to VM/Disks/Additional Settings and select Disk to encrypt. This time the only option is a Key Vault, not a Disk Encryption Set.

I select OS and Data Disks.

Portal says:

enter image description here

This time, Get-AzVMDiskEncryptionStatus says:

enter image description here

My questions

  1. What is the difference between the two methods?
  2. Why Get-AzVMDiskEncryptionStatus return so un expected results?
1
azureazure-virtual-machine

1 Answers

0
votes

To answer your questions:

  1. There are Server-side encryption and Azure disk encryption. The first one of what you did is the Server-side encryption and the second one is Azure Disk encryption.

Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data. Azure Storage Encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, are not encrypted through Azure Storage. When you enable encryption at the host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. After enabling encryption at the host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at the host encrypts your data from end-to-end.

Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.

For more information, read here.

  1. It's expected. The Get-AzureRmVMDiskEncryptionStatus cmdlet gets the encryption status of the virtual machine. It displays the encryption status of the operating system and data volumes. This does not get server-side encrytion status.