I want to implement end to end encryption for my azure vm. According to the documentation encryption at host is the solution for data encryption at rest on a host machine. The other option is possibly Azure Disk Encryption.
The solutions are mutually exclusive:
Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
The question is what are similarities and differences between both solutions and what are the arguments to use one instead of the other.
On
Good comparrison here: https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
Azure Disk Storage Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption) is always enabled and automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters. When configured with a Disk Encryption Set (DES), it supports customer-managed keys as well. It doesn't encrypt temp disks or disk caches. For full details, see Server-side encryption of Azure Disk Storage.
Encryption at host is a Virtual Machine option that enhances Azure Disk Storage Server-Side Encryption to ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters. For full details, see Encryption at host - End-to-end encryption for your VM data.
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, with the option to encrypt with a key encryption key (KEK). For full details, see Azure Disk Encryption for Linux VMs or Azure Disk Encryption for Windows VMs.
Confidential disk encryption binds disk encryption keys to the virtual machine's TPM and makes the protected disk content accessible only to the VM. The TPM and VM guest state is always encrypted in attested code using keys released by a secure protocol that bypasses the hypervisor and host operating system. Currently only available for the OS disk. Encryption at host may be used for other disks on a Confidential VM in addition to Confidential Disk Encryption. For full details, see DCasv5 and ECasv5 series confidential VMs.
There are significant differences in the operation of both technologies. The two cannot both be used simultaneously on the same resources/VMs.
Azure Disk Encryption:
In more of less words, this is encryption at rest on the disks connected to your VM. OS and Data. It works with BitLocker on Windows and Linux machines and stores encryption keys and secrets within Azure Key Vault.
There are also restrictions on the VM SKUs that are supported. There are additional restrictions to review.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
Encryption at host:
Encryption starts and happens on data processed by the host VM itself. The encrypted processed data is then sent back to the storage location – disk, table, blob – and then stored in its encrypted format. Therefore, the data processed and shared between the VM and its disks or other storage counterparts are encrypted, including in-transit.
https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal
Note the list of supported VM sizes. There does remain a significant amount of limitations for host-based encryption.
Your subscription also needs to have this feature enabled by requesting it through the Azure Portal. Instructions are in the link provided under Prerequisites.