This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 4%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello Everyone,
My requirement is to remediate one of the defender findings.
"Virtual Machines should encrypt temp disks and data flows between Compute and Storage resources"-- I believe this can be fixed by enabling azure encryption at host.
Can somebody please advise me what is the business impact of enabling this option in azure VMs?
Also I can see we can't perform azure disk encryption on disks that have enabled with VM encryption at host? so please advise me how does it effect there?
Looking forward for kind responses on this please.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Maheswararaju P Thank you for reaching out to Microsoft Q&A. I understand that you are having questions regarding encryption of Temp disks and data flows between compute and storage resources. Answering your questions below:
Azure Disk Encryption should help you with the above. Please refer to this thread that discusses a similar issue.
Can you explain further, what business impact you referring to? Downtime, costs?
When it comes to the effects, are you referring to the different ways the encryption is implemented?
With Encryption at Host, this is done at the Azure Server level, so the server that your VM is allocated to. Encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact your VM's performance. For more info.
Azure Disk Encryption (depending on your OS) leverages your VMs encryption features, such as BitLocker for Windows or DM Crypt for Linux, in order to provide volume encryption for the OS and data disks of the VM. For more info.
Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Hi @SaiKishor-MSFT ,
Thank you very much for your kind response.
From the comparisons Image, I can understand that Azure disk encryption and azure encryption at host both will suffice the requirement of (Virtual Machines should encrypt temp disks and data flows between Compute and Storage resources).
However when we go with Azure disk encryption, does it impact the VM CPU performance? Because from the comparisons image it was unchecked. Please confirm on this point Sai.
With regards to business impact, yeah I was referring both any downtime or cost implications anything that happened after we enable the azure disk encryption/encryption at host.
Also help me understand, Is enabling the azure disk encryption will encrypt the temp disks, and caches because except from image i couldn't see the same details from any Microsoft reference articles.
Lastly please help me know if there is any azure policy to implement to govern this encryption automatically.
Once again I appreciated your kind response @SaiKishor-MSFT .
Kind regards,
Maheswara.
Also as per restrictions details it seems
Existing VMs must be deallocated and reallocated inorder to be encrypted. Does this mean we can't enable encryption at host without doing deallocation of the VM. If it is true, then we may expect some downtime right. Please correct me if i am wrong @SaiKishor-MSFT and @Sumarigo-MSFT
Looking forward to hearing from you.
Thank you,
Maheswara.
@Maheswararaju P
Thank you for following up on this!
To help @SaiKishor-MSFT answer some of your questions:
When we go with Azure disk encryption, does it impact the VM CPU performance?
What is the business impact of enabling this option in Azure VMs? Existing VMs must be deallocated and reallocated in order to be encrypted, does this mean we can't enable Encryption at Host without doing deallocation of the VM?
Additional Links:
Server-side encryption versus Azure disk encryption
Azure Disk Encryption for Windows VMs
Azure Disk Encryption for Linux VMs
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi @JamesTran-MSFT ,
Thank you so much for your response. Your responses are quite helpful James. Lastly kindly help me with below two queries.
1.For Azure Disk Encryption, the downtime will be dependent on how much data is on your VMs OS disk, and how many data disks you plan to encrypt.--- Based on the reference you have shared, I understand it depends on the size of OS disks and data disks that we are encrypting. Assume if it takes 30 minutes, does it mean during 30 minutes VM will be down or it will be functional and running remains as it is.
2.Please provide me if there is any policy with effect deny, to prevent any VM that is going to be deployed without enabling disk encryption/encryption at host from the compliance or governance stand point.
Note:- Just to avoid any business impact in client, From your personnel experience what would you advise me to go with with ADE or Encryption at host?
Looking forward to hear your kind response on above queries.
Thank you,
Maheswara.
@Maheswararaju P
Thank you for following up on this and I apologize for the delayed response!
Assume if it takes 30 minutes, does that mean for 30 minutes the VM will be down, or will it be functional and running as is.
Please provide me if there is any policy with effect deny, to prevent any VM that is going to be deployed without enabling disk encryption/encryption at host from the compliance or governance standpoint.
Azure Policy built-in definitions for Azure Virtual Machines:
OS and data disks should be encrypted with a customer-managed key
Virtual machines and virtual machine scale sets should have encryption at host enabled
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Dear @JamesTran-MSFT ,
Thanks for your response.
From my experience, your VM won't be down for the full 30 minutes. Usually, the VM will need to restart during the encryption process, but the downtime will be the time it takes for your VM to boot-up. During the encryption process, your VM will be running with BitLocker encrypting your drives.------Please confirm is this behaviour expected incase of Linux as well? I understand you were referring to Windows vm bitlocker feature..Help me know is it same for Linux as well since I could see there were multiple restrictions incase of Linux vm.
Thank you so much for your kind support.
Looking forward to hearing from you.
Warm regards,
Maheswara
@Maheswararaju P
Thank you for following up on this!
I reached out to our Linux ADE SMEs and was told that the Linux VM will reboot a couple of times. However, you shouldn't login into the Linux VM if you are encrypting the OS, since that can break the OS encryption process.
If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@Maheswararaju P
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
Hi @JamesTran-MSFT ,
Thank you so much for your response. It was helpful.
Hi @JamesTran-MSFT ,
Thank you for your kind response in updating me with all relevant inputs.
I have accepted your solution as answer.
Warm regards,
Maheswara.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 24%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Hello @JamesTran-MSFT If I do Encryption at host for my VM's, what kind of key points I've to take care to of? like does the VM changes the login credentials or whoever wants to access the machine have to take the key vault keys or disk encryption keys from me.?
Also please clarify what kind of steps I've to take care of implementation and also mention the cost for ADE and Encryption-at-host as well.
Thanks,
Jagadeesh