Server-side encryption with customer-managed keys for Azure Managed Disks
Вставка
- Опубліковано 24 лип 2024
- SSE with CMK improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your VMs by encrypting data in the Azure Storage service.SSE with CMK is integrated with Azure Key Vault. You can either bring your own keys (BYOK) to your Key Vault or generate new keys in the Key Vault.
Download Slide deck: nzpowerlunchfiles.blob.core.w...
agree, good explanation, kudos Naveed!
Great Video with good explainations Naveed!
in Security point of view which Encryption is better SSE or Azure Disk Encryption, which one is more secure and how it is more secure.
Thanks Naveed. Great video.
Do we know if we can use SSE + CMK and add Azure Disk Encryption on top of that ?
You do not need Azure Disk Encryption if you have SSE+CMK.
@@AzurePowerLunch Thank you for the response. I did find this mentioned in the Unsupported scenarios for ADE - "Applying ADE to a VM that has a data disk encrypted with server-side encryption with customer-managed keys (SSE + CMK), or applying SSE + CMK to a data disk on a VM encrypted with ADE."
That being said, SSE still happens at the Storage Account level, not at the OS level. So wouldn't ADE be considered a stronger encryption as compared to SSE + CMK ?
@@AzurePowerLunch This is not quite true. ADE provides end-to-end encryption so in the event that the VHD is exported\downloaded from the subscription it would be unreadable. SSE+CMK does not provide that guest-level encryption and the VHD would be readable outside of Azure as the disks would be decrypted at time of export.
Cloud admin view the data right they having customer key
Need quick help, Thanks a ton in advance. Can we apply SSE with CMK through ARM template ? If so, how ?
Yes you can. Have you looked at this link: www.appliedis.com/azure-vm-disk-encryption-using-deployment-scripts-in-arm-templates/
@@AzurePowerLunch yes I saw that and got helped. Thanks a ton :)