This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 22%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Normally, I would be inclined to assume that data are encrypted in transit between a VM and the managed disk storage service.
However, in [Enable end-to-end encryption using encryption at host][1], it is stated that “When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.”
So how should I understand this statement? Does it mean that if I do not enable Encryption at Host or Azure Disk Encryption, then my data will be transmitted unencrypted between the VM and the managed disk storage service?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Søren Brandt (SOB) Thank you for reaching out to Microsoft Q&A. I understand that you are having questions about Disk Encryption.
Answering your question- Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk, using a customer-managed key.
Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments. Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, are not encrypted through Azure Storage. For disks with encryption at host enabled, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage.
So if you use, Azure Disk Encryption and Encryption at host, data flows encrypted between storage and compute and if you use Azure Disk Storage Server-Side Encryption at rest, it is not encrypted between storage and compute.
Please also refer to this comparison to know more- https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview#comparison & this video for a Deep Dive into Disk Encryption- https://www.youtube.com/watch?v=EOXgzTqceok&t=1873s
Hope this answers your questions. If not, please let me know and I can assist further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.