Microsoft Azure Encryption at host – What is it actually?

To clear some of the confusion around this new encryption feature in Microsoft Azure called Encryption at host, what does it actually do?
When reading the documentation from Microsoft is states the following

“When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it’s persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host doesn’t use your VM’s CPU and doesn’t impact your VM’s performance.”

This comparison table found here also clearly indicates that Encryption at host seems like the best option…

By default in Azure, all data is encrypted at rest using a feature called SSE (Service-side encryption) which means that if someone rams the Microsoft datacenter and plugs out a disk it will be encrypted using hardware keys from Microsoft. So what does then encryption at host do? It has to do with the communication between the compute and storage layer, and can be seen as a option that enhances Azure Disk Storage Server-Side Encryption to ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters.

One thing that clearly does not appear in the table comparison from Microsoft is that IT DOES NOT ENCRYPT THE VM. What does that mean? Well If I were to get access to an Azure tenant, I could stop the VM and do a disk export and download the VHD file, mount it and then see all the data there (no encryption of the data)

If you however enable Azure Disk Encryption which uses Bitlocker for Windows and DM-Crypt for Linux it means that the actual data and OS is encrypted, so if someone manages to download the VHD file of a VM using that feature they will not be able to inspect or read the data.

For instance here we have a Virtual machine that has encryption at host enabled. While disk encryption is not enabled.

If I choose download this VHD file and open it directly on another Windows machine I can browse it normal.

Since the intention of this feature is not encryption the VM itself but the communication flow and some companies have these type of requirements for compliance purposes. However the table above badly reflects the bigger difference between Azure Disk Encryption and Encryption at host.

Leave a Reply

Scroll to Top