Azure-docs: SSE and ADE: Difference
Hi,
Azure notifies me that "Managed disks created since June 10, 2017 are encrypted at rest with Storage Service Encryption (SSE). You may also want to enable Azure Disk Encryption." What is the difference between SSE and ADE (Azure Disk Encryption)? Why do I need to encrypt twice?
Kind regards,
Ryan
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 2ea5bae3-9d7d-21df-be40-322a0acb6e3b
- Version Independent ID: 34f79eb2-1a94-6888-797c-a324fb4ac587
- Content: Encrypt an Azure Virtual Machine
- Content Source: articles/security-center/security-center-disk-encryption.md
- Service: security
- GitHub Login: @TomShinder
- Microsoft Alias: tomsh
ryansun96
All 7 comments
@ryansun96 Thanks for your feedback! We will investigate and update as appropriate.
MohitGargMSFT
on 13 Apr 2018
@ryansun96 Encrypted at rest refers to the physical disk in the data center. So if someone were to take that disk physically from the data center the data would be encrypted. However, this does not apply to the data when it is being requested by the VM or when used in the portal.
For example, if you have a VM that is not encrypted via ADE but is only encrypted at rest you could take the VHD of that VM and mount it to another machine in Azure. Once mounted you could browse freely the data. This is because the data is unencrypted when you are request it over the network.
If you enable encryption via Azure Disk Encryption you could take the same scenario however when you go to browse the data after attaching the disk to another VM you would not be able it. As when you click on it there would be a requirement to unlock the drive.
I will close this for now but if you have additional questions please reopen and we can continue :)
mimckitt
on 13 Apr 2018
@MicahMcKittrick-MSFT
Could you please mention the difference in the document? Because customers and me are confused by SSE and ADE, which provide similar functions.
bingosummer
on 9 May 2018
Sure. ADE encrypts vhd files only. SSE encrypts anything that is placed in Azure storage (at least all supported storage types). That means that for VM, you could potentially use both ADE and SSE on the same vhd files. Thanks! -Tom
TomShinder
on 9 May 2018
Thanks. What I mean is to document the difference officially in the document page.
bingosummer
on 9 May 2018
Ah! OK, yes. We'll put that on the backlog. Thanks!
TomShinder
on 9 May 2018
please-close
TomShinder
on 9 May 2018
Related issues
monteledwards
·
3Comments
behnam89
·
3Comments
mrdfuse
·
3Comments
DeepPuddles
·
3Comments
varma31
·
3Comments
Most helpful comment
@ryansun96 Encrypted at rest refers to the physical disk in the data center. So if someone were to take that disk physically from the data center the data would be encrypted. However, this does not apply to the data when it is being requested by the VM or when used in the portal.
For example, if you have a VM that is not encrypted via ADE but is only encrypted at rest you could take the VHD of that VM and mount it to another machine in Azure. Once mounted you could browse freely the data. This is because the data is unencrypted when you are request it over the network.
If you enable encryption via Azure Disk Encryption you could take the same scenario however when you go to browse the data after attaching the disk to another VM you would not be able it. As when you click on it there would be a requirement to unlock the drive.
I will close this for now but if you have additional questions please reopen and we can continue :)