Encryption At Host Potential Downsides

Question

Hello,

We are looking into implementing Defender for Cloud recommendations about encrypting data in transit.

We are not really fond of using ADE, but we are heavily looking towards using encryption-at-host. At first glance it looks like a much better solution in comparison to ADE. But before we go all wild and enable it on all our servers, I need to be 100% sure we don't bump into any unexpected issues.

Unfortunately the articles I found all focus on ADE:

• https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption#encryption-support-using-ade

As such, I would like to have some clarification on certain topics:

• Does EAH work flawlessly with Azure Backup?
  • Do the same limitations apply as for ADE (like the lack of file-level restore)?
  • Are there no problems with restoring the VM which is encrypted at host?
  • Does cross-site restore work with EAH-enabled VMs?
• What happens in case of a host failure?
  • Will the VM which is encrypted at host be able to start on another host after a failover? Or in case of the "Redeploy" process?
  • Will the VM need to be re-encrypted after it's span up on another host?
• Does Azure Site Recovery support VMs which are EAH-enabled?
  • Will the VM be automatically encrypted after a failover to another region or will re-encryption be requied?
  • Is the traffic from the VM to the cache storage account encrypted?
  • Is the traffic from the cache storage account to the secondary region also encrypted?

Many thanks in advance for your assistance

Kind regards,

Wojciech

Answer 1

Hi Wojciech,

I wanted to provide some quick answers for you now. I will expand a bit later after I finish some other tasks.

• Does EAH work flawlessly with Azure Backup?
  • Do the same limitations apply as for ADE (like the lack of file-level restore)?
  • Are there no problems with restoring the VM which is encrypted at host?
  • Does cross-site restore work with EAH-enabled VMs?

A: Does not have same limitations as ADE. File-level restore works. Cross-region restore works.

• What happens in case of a host failure?
  • Will the VM which is encrypted at host be able to start on another host after a failover? Or in case of the >"Redeploy" process?
  • Will the VM need to be re-encrypted after it's span up on another host?

A: Yes, VM can start on another host. Yes, VM can be redeployed. No, VM does not need to be re-encrypted.

• Does Azure Site Recovery support VMs which are EAH-enabled?
  • Will the VM be automatically encrypted after a failover to another region or will re-encryption be requied?
  • Is the traffic from the VM to the cache storage account encrypted?
  • Is the traffic from the cache storage account to the secondary region also encrypted?

A: VM will be protected by ASR, however, after failover the VM won't have Encryption at host enabled. Re-encryption will not be required after failover. Traffic to cache storage and secondary region is encrypted.

-TP