You are designing a data protection strategy for Azure virtual machines. All the virtual machines are in the Standard tier and use managed disks.
You need to recommend a solution that meets the following requirements:
✑ The use of encryption keys is audited.
✑ All the data is encrypted at rest always.
✑ You manage the encryption keys, not Microsoft.
What should you include in the recommendation?
The appropriate solution for ensuring that all data on Azure virtual machines using managed disks is encrypted at rest, with auditable encryption key usage, and with customer-managed encryption keys is Azure Disk Encryption. Azure Disk Encryption integrates with Azure Key Vault to allow you to manage the encryption keys, providing full control over them. It also leverages BitLocker for Windows VMs and DM-Crypt for Linux VMs, ensuring that all data at rest is always encrypted and in compliance with the specified requirements.
It's correct: "Azure Disk Encryption (...) uses the Bitlocker feature (...) and (...) to help you control and manage the disk encryption keys and secrets." https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/disk-encryption-overview. I.e. Bitlocker is the "tool", not the solution. D is correct.
D is correct as in the below link: https://azure.microsoft.com/en-us/blog/preview-server-side-encryption-with-customer-managed-keys-for-azure-managed-disks/ "Customers also benefit from Azure disk encryption (ADE) that leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt Managed Disks with customer managed keys within the guest virtual machine."
Requirements: - The use of encryption keys is audited. - All the data is encrypted at rest always. - You manage the encryption keys, not Microsoft. Possible Answers: A. BitLocker Drive Encryption (BitLocker) > I think this would fullfil all requirements as well, although I am not sure about the key-usage auditing part. B. Azure Storage Service Encryption > Can be ruled out as we are using managed disks. C. client-side encryption > Doesn't make sense for managed disks, can be ruled out. D. Azure Disk Encryption > Fullfills all requirements. Keys are stored in Key Vault. To audit the encryption key usage, Key Vault monitoring can be used. Conclusion: > I am varying between A. & D. but still would choose D. as it seems the more azure-native approach. Am I missing something regarding BitLocker?
Azure Disk Encryption uses BitLocker for Windows and DM-Crypt for Linux.
Azure Storage Service Encryption (B) does support managed disks since 2017.
Bitlocker (A) can't be the solution because it only runs on Windows, while we don't know which OS is used on these VMs.
I'm guessing the rationale here is what is the service applicable to all VM types - which would be Azure disk encryption. Then features of Azure disk encryption are Bitlocker for Windows and DM_crypt for Linux - both of which can BYO key.
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Would this answer still qualify under the requirement that "You manage the encryption keys, not Microsoft."? I would think no. If so, that means 'D' isn't the right answer.
Disk encryption is supported with customer-managed keys, see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption
you can import Azure Key vault keys and managed outside of Microsoft. So, D is right.
Its D, I did it in lab
D. Azure Disk Encryption
Bitlocker does all of that. You can use it in azure, it works on managed disks, you can control the key. No reason why not
BitLocker is only for Windows.
D is ok
D is ok
Answer is D. See https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#azure-disk-encryption
how about Server-side encryption with customer-managed keys? B is also feasible
I also initially thought as you, but there is this requirement: All the data is encrypted at rest always and Server side encryption can’t meet this requirement since temporary disks are not encrypted by Server side encryption. From https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption “Temporary disks are not managed disks and are not encrypted by SSE” https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-faq#how-is-azure-disk-encryption-different-from-storage-server-side-encryption-with-customer-managed-key-and-when-should-i-use-each-solution
B is Azure storage encryption not Server-side encryption
The Correct Answer is D.
Reference below tells that for windows machine azure disk encryption uses bitlocker for encryption. There was no specification there was windows and linux machines, question is to vague. https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview