Q. What are the encryption options for Azure IaaS VMs?
A. Encryption of data is always a hot topic as companies can struggle with the idea of their data sitting in a datacenter controlled by someone else and also about the possibility (however rare and unlikely) of the cloud provider to be compelled to hand over their data to a government entity. While the news is often filled of stories of cloud providers fighting governments to protect customer data and at minimum have the right to notify the customers the ideal solution is for the customer data to be encrypted by the customer in such a way that the cloud provider can't read the data even if they wanted to. There are a number of different options for encryption with varying levels of protection. I've listed the main ones that would apply to Azure IaaS VMs.
- Application level encryption – Use the application to encrypt its own data. For example SQL Transparent Data Encryption (TDE), Column Encryption using symmetric or asymmetric keys and AlwaysEncrypted to encrypt data at rest and in memory.
- Custom application level encryption using Azure - Azure has a client-side encryption library that can be used to encrypt and decrypt data stored in Azure Storage.
- Inside the OS file system encryption via BitLocker or DM-Crypt using Azure IaaS VM native encryption enabled through Azure Key Vault (and additional customer key (KEK) stored in Azure Key Vault can be used for additional encryption which is secured via Azure AD). Azure Key Vault uses industry leading HSM to safeguard the keys.
- Inside the OS file system encryption via 3rd party encryption solutions which may use Azure Key Vault or use a separate key store external from Azure. These solutions can use different encryption technologies but those listed utilize BitLocker for Windows. This has the potenetial benefit of separating the key from the lock in effect if a key vault other than Azure Key Vault is selected.
- Storage Account level encryption at rest for automatic encryption and decryption. Here Azure stores and controls the keys.