I want to implement end to end encryption for my azure vm. According to the documentation encryption at host
is the solution for data encryption at rest on a host machine. The other option is possibly Azure Disk Encryption
.
The solutions are mutually exclusive:
Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
The question is what are similarities and differences between both solutions and what are the arguments to use one instead of the other.
There are significant differences in the operation of both technologies. The two cannot both be used simultaneously on the same resources/VMs.
Azure Disk Encryption:
In more of less words, this is encryption at rest on the disks connected to your VM. OS and Data. It works with BitLocker on Windows and Linux machines and stores encryption keys and secrets within Azure Key Vault.
There are also restrictions on the VM SKUs that are supported. There are additional restrictions to review.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
Encryption at host:
Encryption starts and happens on data processed by the host VM itself. The encrypted processed data is then sent back to the storage location – disk, table, blob – and then stored in its encrypted format. Therefore, the data processed and shared between the VM and its disks or other storage counterparts are encrypted, including in-transit.
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal
Note the list of supported VM sizes. There does remain a significant amount of limitations for host-based encryption.
Your subscription also needs to have this feature enabled by requesting it through the Azure Portal. Instructions are in the link provided under Prerequisites.