Enabling IaaS Encryption- When to use Azure Virtual Machine Encryption (Part 1)
This is the first blog within a 3-part series detailing my investigations on the current state of enabling Infrastructure as a Service (IaaS) Encryption functionality. Details are accurate as of July 2018.
Throughout the series, I will explore the following articles:
- When to use Azure Virtual Machine (VM) Encryption and when to avoid it (this one)
- How to configure Azure VM Encryption including script walkthrough (link when up)
- What Encryption looks like and what the common limitations look like (link when up)
This initial article discusses when you should use Azure VM Encryption and the possible ramifications of enabling it.
03 Jul 2018
Should I use Azure VM Encryption?
Recently, I was asked by one of our clients if they should be enabling storage encryption on their Azure VMs. To assist with my response, I asked the following questions:
- Do you have any legal requirements such as Payment Card Industry Data Security Standard (PCI) compliance or is it part of a contract?
- Do you currently encrypt your existing VM disks on premises?
- Do you trust the physical security of a Microsoft Datacentre?
- Do you trust your team not to download disks maliciously?
- Are you confident that controls are in place to stop unauthorised access to the VM storage?
These questions are key, especially when identifying the validity of enabling encryption. The additional overhead and complexity increases, which can result in future compatibility issues.
Why you may want to Encrypt
So why would you want to encrypt your VM? Microsoft provide the two following reasons:
- IaaS VMs are secured at rest, because you can use industry-standard encryption technology to address organisational security and compliance requirements.
- IaaS VMs boot under customer-controlled keys and policies, you can also audit their usage in your key vault.
Why you may not want to Encrypt
Below are many practical issues when enabling storage encryption on several existing VMs:
- According to Microsoft, generally single digit performance overheads will be incurred.
- An additional volume is required and is automatically given the next drive letter, removing or disabling this volume is fatal.
- A Key Vault would be required adding a minor cost.
- 10-15 minutes of downtime is required per VM.
- The Backup Management Service must have access to the Key Vault.
- The Azure Site Recovery Azure Disaster Recovery feature currently doesn’t work with encrypted virtual machines.
- Azure Backup requires custom scripts or manual intervention to restore a VM correctly.
While being able to encrypt your VM in Azure can be a useful exercise the experience and compatibility can fall short of the usual experience. This experience is slowly improving over time and I expect that over time the experience will become seamless. As it currently stands I would only recommend enabling encryption if there is a strong external requirement to do so. If backup encryption is important to you but the limitations are a blocker for implementation I encourage you to feedback to Microsoft directly on the Azure UserVoice site here.
If you are looking for managed IT support and think you could benefit from PowerON’s consultancy services and solutions, please get in touch on +44800 302 9280.