Encryption At Host Potential Downsides

Wojciech Rozanski 65 Reputation points
2023-05-19T12:05:33.1766667+00:00

Hello,

We are looking into implementing Defender for Cloud recommendations about encrypting data in transit.

We are not really fond of using ADE, but we are heavily looking towards using encryption-at-host. At first glance it looks like a much better solution in comparison to ADE. But before we go all wild and enable it on all our servers, I need to be 100% sure we don't bump into any unexpected issues.

Unfortunately the articles I found all focus on ADE:

As such, I would like to have some clarification on certain topics:

  • Does EAH work flawlessly with Azure Backup?
    • Do the same limitations apply as for ADE (like the lack of file-level restore)?
    • Are there no problems with restoring the VM which is encrypted at host?
    • Does cross-site restore work with EAH-enabled VMs?
  • What happens in case of a host failure?
    • Will the VM which is encrypted at host be able to start on another host after a failover? Or in case of the "Redeploy" process?
    • Will the VM need to be re-encrypted after it's span up on another host?
  • Does Azure Site Recovery support VMs which are EAH-enabled?
    • Will the VM be automatically encrypted after a failover to another region or will re-encryption be requied?
    • Is the traffic from the VM to the cache storage account encrypted?
    • Is the traffic from the cache storage account to the secondary region also encrypted?

Many thanks in advance for your assistance

Kind regards,

Wojciech

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,125 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
160 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
572 questions
Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
634 questions
0 comments
Accepted answer
  1. TP 75,646 Reputation points
    2023-05-19T20:27:28.2766667+00:00

    Hi Wojciech,

    I wanted to provide some quick answers for you now. I will expand a bit later after I finish some other tasks.

    • Does EAH work flawlessly with Azure Backup?
      • Do the same limitations apply as for ADE (like the lack of file-level restore)?
      • Are there no problems with restoring the VM which is encrypted at host?
      • Does cross-site restore work with EAH-enabled VMs?

    A: Does not have same limitations as ADE. File-level restore works. Cross-region restore works.

    • What happens in case of a host failure?
      • Will the VM which is encrypted at host be able to start on another host after a failover? Or in case of the >"Redeploy" process?
      • Will the VM need to be re-encrypted after it's span up on another host?

    A: Yes, VM can start on another host. Yes, VM can be redeployed. No, VM does not need to be re-encrypted.

    • Does Azure Site Recovery support VMs which are EAH-enabled?
      • Will the VM be automatically encrypted after a failover to another region or will re-encryption be requied?
      • Is the traffic from the VM to the cache storage account encrypted?
      • Is the traffic from the cache storage account to the secondary region also encrypted?

    A: VM will be protected by ASR, however, after failover the VM won't have Encryption at host enabled. Re-encryption will not be required after failover. Traffic to cache storage and secondary region is encrypted.

    -TP

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest