Share via

Azure Disk encryption on Azure virtual desktop

M Hemant Kumar 20 Reputation points
2023-07-26T20:06:23.97+00:00

we already enabled ADE on Azure VMs disks based on CloudCheckR tool recommendations.

But now, we need suggestions whether we should also enable ADE (Azure Disk Encryptions) on AVD (Azure Virtual Desktops)? Or not required if any justification, since we’ve around 70+ AVDs are in place.

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,407 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Johan Vanneuville 161 Reputation points MVP
    2023-07-27T06:28:37.12+00:00

    Hi,

    Microsoft has put in in the security best practices for AVD.

    https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide

    I also do it as a default to increase the security of any AVD environment.

    0 comments
  2. Sumarigo-MSFT 44,416 Reputation points Microsoft Employee
    2023-07-28T13:23:36.9166667+00:00

    @M Hemant Kumar Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Enabling Azure Disk Encryption (ADE) on Azure Virtual Desktops (AVD) is a good security practice to protect the data stored on the virtual desktops. ADE uses industry-standard encryption to encrypt the data at rest on the virtual desktops, which helps to prevent unauthorized access to the data.

    Enabling ADE on AVD is not mandatory, but it is recommended to protect sensitive data stored on the virtual desktops. If your organization has compliance or regulatory requirements that mandate the use of encryption for data at rest, then enabling ADE on AVD is necessary to meet those requirements.

    However, whether you should enable ADE on AVD depends on several factors, including your organization's security requirements, compliance needs, and risk tolerance. Here are some considerations to help you make an informed decision:

    1. Data Sensitivity: Consider the sensitivity of the data stored on the AVD virtual machines. If the VMs handle sensitive or confidential information, enabling ADE can help protect the data at rest, even in the event of unauthorized access to the underlying storage.
    2. Compliance Requirements: Evaluate whether your organization is subject to specific compliance standards that mandate encryption for data at rest. Enabling ADE can assist in meeting these compliance requirements.
    3. Security Best Practice: ADE is considered a security best practice for protecting data at rest in Azure. Implementing encryption can help safeguard your data from potential threats and data breaches.
    4. Risk Assessment: Conduct a risk assessment to understand the potential impact of a data breach on AVD virtual machines. Assess the likelihood of unauthorized access to the underlying storage and the potential consequences. ADE can mitigate the risk of unauthorized access to data on disks.
    5. Performance Impact: Enabling ADE can have a minimal impact on performance, but it's essential to test the impact on AVD performance in your specific environment. Evaluate the trade-off between security and performance based on your organization's needs.
    6. Key Management: Consider the management of encryption keys. With ADE, you can choose to use either Azure-managed keys or customer-managed keys (bring your own key - BYOK). Customer-managed keys give you more control over the encryption keys used for ADE.
    7. Operational Overhead: Implementing and managing ADE on a large number of AVD virtual machines (70+ in your case) may introduce additional operational overhead. Plan for key rotation and backup procedures to maintain data access in case of key loss.
    8. Backup and Disaster Recovery: Ensure that you have a robust backup and disaster recovery strategy in place, including testing data recovery with ADE-enabled AVD virtual machines.

    Enabling ADE on AVD can be done using the Azure portal or PowerShell. You can follow the steps in this document to enable ADE on AVD: Encrypt virtual machine disks with Azure Disk Encryption for Windows VMs.

    You should test the performance impact of enabling ADE on AVD before enabling it in production.

    Enabling ADE on AVD requires a key vault to store the encryption keys. You should ensure that the key vault is properly secured and access to the key vault is restricted to authorized users.

    This article describes steps you can take as an admin to keep your customers' Azure Virtual Desktop deployments secure.

    Security and governance

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments