@Søren Brandt (SOB) Thank you for reaching out to Microsoft Q&A. I understand that you are having questions about Disk Encryption.
Answering your question- Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk, using a customer-managed key.
- If your requirements include encrypting only data at rest with customer-managed key, then use Server-side encryption with customer-managed keys. You cannot encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer-managed keys.
Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments. Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, are not encrypted through Azure Storage. For disks with encryption at host enabled, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage.
So if you use, Azure Disk Encryption and Encryption at host, data flows encrypted between storage and compute and if you use Azure Disk Storage Server-Side Encryption at rest, it is not encrypted between storage and compute.
Please also refer to this comparison to know more- https://video2.skills-academy.com/en-us/azure/virtual-machines/disk-encryption-overview#comparison & this video for a Deep Dive into Disk Encryption- https://www.youtube.com/watch?v=EOXgzTqceok&t=1873s
Hope this answers your questions. If not, please let me know and I can assist further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.