This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 43%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
I understand what Server Side Encryption and Azure Disk Encryption mean and how you can turn them on.
I don't understand that when I turn on the ADE (BitLocker) for a (windows) VM's OS disk, the OS disk encryption says "SSE with PMK & ADE." Isn't that super confusing? How can ADE be used along with SSE? I understand SSE cannot be turned off, but I thought it was true only for data disks.
My confusion is this:
If I use BitLocker on a laptop, it provides OS-level encryption, which is all one needs. So in the case of Azure OS disk encryption, is it using double encryption with SSE and ADE?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Anuj Jain Server side encryption [SSE] is default offering. All of your Azure VMs managed disks are always encrypted by default when they are stored on underlying storage. This is encryption at rest by the Azure itself.
You don’t need any additional efforts to perform Server Side Encryption of Azure VM Managed disk. More importantly you can't disable it as well. Server side encryption is not optional, and always provided behind the scene.
Azure Disk Encryption of Azure VM Managed Disks
Azure Disk Encryption [ADE] is optional. This method provides an extra layer of security over SSE. This encryption is performed at OS level of VM and hence there are many conditions where ADE is supported/ not supported. Where as SSE is always performed at backend storage level and has nothing to do with OS of VM being encrypted.
Does this answer your question? Please let us know if you have any more questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Thanks for explaining Sai. So if I were to use ADE for a VM, it will appear as SSE with PMK/CMK with ADE?
Furthermore, it would mean that there is double encryption of data on your OS disk at play here?
Yes, you are right. SSE is usually done at the storage account for your managed disk, whereas ADE is done at the VM so it is not double encryption but it is encrypted end to end rather. Does that helps? If not, please let me know. Thanks!
Here is a helpful video to understand Disk Encryption -https://www.youtube.com/watch?v=EOXgzTqceok
Thank you!
Sai,
Is the VM not encrypting the data for rest (and also transit between the host and the disk) that is going to be stored on the already SSE-encrypted OS disk (and data disk if selected)?
If yes, would that not be double encryption? Or i misunderstand this.
@Anuj Jain You can say it is double encrypted since the encrypted data sits in the storage account that is also encrypted. Yes! I apologize for the confusion..
Hope this answers your question. Please let us know if you have any more questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Excellent. THanks Sai
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 27%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Excellent,thanks for the clarification @SaiKishor-MSFT