As of today, Microsoft has a few different ways of encrypting Azure data. The options for Azure Data Encryption on servers include Storage Service Encryption and Azure Disk Encryption. Below is a quick summery of each.
Storage Service Encryption (SSE)
This is at the storage account level and encrypts data at rest. Encryption takes place as the data is written to storage and decrypted when it’s read.
Pros: Easiest to implement by selecting an option on the storage account. Satisfies the “is data encrypted at rest” requirement of most audits. Available on all types of storage in all regions. Enabled by default on new storage accounts.
Cons: Data is decrypted before it’s passed over the network (however, HTTPS or SMB 3.0 can be enforced to encrypted data in flight). Microsoft keys used by default. There is an option to use your own keys but they are stored in the Microsoft Key Vault (feature in preview, not GA).
Azure Disk Encryption
Virtual drive encryption, BitLocker on Windows or DM-Crypt on Linux.
Pros: Generally Available. Virtual hard drives are unusable without the key.
Cons: Keys are managed in the Microsoft Key Vault. More complicated to setup and adds extra steps to data recovery. Not supported on Basic tier VM’s.
*Please note, if you are using Azure Disk Encryption you must use the Key Encryption Key (KEK) method to encrypt the drives. You will not be able to backup servers unless you use KEK.
The performance impact of SSE is inconsequential. Only new data written to the storage account is encrypted after enabling SSE. Is situations where all data needs to be encrypted, it will be necessary to create a new storage account with encryption enabled and copy the data to it.
The only time you may consider disabling SSE is on storage accounts that house virtual disks encrypted with disk encryption. This would avoid double encryption. However, there is no downside to having encryption on the storage account that have encrypted disks. All new storage accounts now has SSE on by default and Microsoft has no recommendations to disable encryption in these scenarios.
