You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/linux/disk-encryption-faq.md
+22-2Lines changed: 22 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,9 +10,15 @@ ms.date: 06/05/2019
10
10
ms.custom: seodec18
11
11
---
12
12
13
-
# Azure Disk Encryption for IaaS VMs FAQ
13
+
# Azure Disk Encryption for Linux virtual machines FAQ
14
14
15
-
This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Linux VMs. For more information about this service, see [Azure Disk Encryption overview](disk-encryption-overview.md).
15
+
This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Linux virtual machines (VMs). For more information about this service, see [Azure Disk Encryption overview](disk-encryption-overview.md).
16
+
17
+
## What is Azure Disk Encryption for Linux VMs?
18
+
19
+
Azure Disk Encryption for Linux VMs uses the dm-crypt feature of Linux to provide full disk encryption of the OS disk* and data disks. Additionally, it provides encryption of the ephemeral resource disk when using the [EncryptFormatAll feature](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). The content flows encrypted from the VM to the Storage backend. Thereby, providing end-to-end encryption with a customer-managed key.
20
+
21
+
See [Supported VMs and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems).
16
22
17
23
## Where is Azure Disk Encryption in general availability (GA)?
18
24
@@ -44,6 +50,20 @@ After you've encrypted the OS volume, disabling encryption on the OS volume isn'
44
50
45
51
No, Azure Disk Encryption only encrypts mounted volumes.
46
52
53
+
## What is Storage server-side encryption?
54
+
55
+
Storage server-side encryption encrypts Azure managed disks in Azure Storage. Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). You can manage encryption of managed disks with your own keys by specifying a customer-managed key. For more information see: [Server-side encryption of Azure managed disks](disk-encryption.md).
56
+
57
+
## How is Azure Disk Encryption different from Storage server-side encryption with customer-managed key and when should I use each solution?
58
+
59
+
Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the ephemeral resource disk with a customer-managed key.
60
+
- If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption.
61
+
- If your requirements include encrypting only data at rest with customer-managed key, then use [Server-side encryption with customer-managed keys](disk-encryption.md). You cannot encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer-managed keys.
62
+
- If your Linux distro is not listed under [supported operating systems for Azure Disk Encryption](disk-encryption-overview.md#supported-operating-systems) or you are using a scenario called out in the [unsupported scenarios for Windows](disk-encryption-linux.md#unsupported-scenarios), consider [Server-side encryption with customer-managed keys](disk-encryption.md).
63
+
- If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service.
64
+
65
+
66
+
47
67
## How do I rotate secrets or encryption keys?
48
68
49
69
To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption.
Copy file name to clipboardExpand all lines: articles/virtual-machines/windows/disk-encryption-faq.md
+20-1Lines changed: 20 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,10 +9,16 @@ ms.date: 11/01/2019
9
9
ms.custom: seodec18
10
10
---
11
11
12
-
# Azure Disk Encryption for Windows VMs FAQ
12
+
# Azure Disk Encryption for Windows virtual machines FAQ
13
13
14
14
This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Windows VMs. For more information about this service, see [Azure Disk Encryption overview](disk-encryption-overview.md).
15
15
16
+
## What is Azure Disk Encryption for Windows VMs?
17
+
18
+
Azure Disk Encryption for Windows VMs uses the Bitlocker feature of Windows to provide full disk encryption of the OS disk and data disks. Additionally, it provides encryption of the ephemeral resource disk when the [VolumeType parameter is All](disk-encryption-windows.md#enable-encryption-on-a-newly-added-data-disk). The content flows encrypted from the VM to the Storage backend. Thereby, providing end-to-end encryption with a customer-managed key.
19
+
20
+
See [Supported VMs and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems).
21
+
16
22
## Where is Azure Disk Encryption in general availability (GA)?
17
23
18
24
Azure Disk Encryption is in general availability in all Azure public regions.
@@ -43,6 +49,19 @@ After you've encrypted the OS volume, disabling encryption on the OS volume isn'
43
49
44
50
No, Azure Disk Encryption only encrypts mounted volumes.
45
51
52
+
## What is Storage server-side encryption?
53
+
54
+
Storage server-side encryption encrypts Azure managed disks in Azure Storage. Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). You can manage encryption of managed disks with your own keys by specifying a customer-managed key. For more information, see [Server-side encryption of Azure managed disks](disk-encryption.md).
55
+
56
+
## How is Azure Disk Encryption different from Storage server-side encryption with customer-managed key and when should I use each solution?
57
+
58
+
Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the ephemeral resource disk with a customer-managed key.
59
+
60
+
- If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption.
61
+
- If your requirements include encrypting only data at rest with customer-managed key, then use [Server-side encryption with customer-managed keys](disk-encryption.md). You cannot encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.
62
+
_ If you are using a scenario called out in [unsupported scenarios for Windows](disk-encryption-windows.md#unsupported-scenarios), consider [Server-side encryption with customer-managed keys](disk-encryption.md).
63
+
- If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service.
64
+
46
65
## How do I rotate secrets or encryption keys?
47
66
48
67
To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption.
0 commit comments