Microsoft Azure encryption interactions

Topic

This article discusses the encryption options for managed disks within Microsoft Azure and how it interacts with the Datto Backup for Microsoft Azure Product.

Environment

Datto Backup for Microsoft Azure

Description

Microsoft Azure supports multiple methods of encrypting data within the platform including:

Azure Disk Storage Server-Side Encryption
Encryption at host
Azure Disk Encryption
Confidential disk encryption

NOTE Whether the passkey used is a customer manged key (CMK) or a platform managed key (PMK), it does not change the way the datto solution interacts with the protected machine.

Types of Encryption

File-Level Encryption - Files using this type of encryption can often be restored by a Datto appliance. The health of a protected server, such as corruption on the server's hard drive, can affect the decryption capabilities of file-level encryption.

Full-Disk Encryption - If your server uses a full-disk encryption product, such as BitLocker or TrueCrypt (used by Azure Disk Encryption), the machine is in a decrypted state when your Datto appliance backs it up. As a general rule, disk-level encryption solutions which perform decryption at a low level, before the operating system is completely loaded, will work with the Datto solution.

However if the encryption solution is dependent upon a running application or driver within the operating system, it's much less likely to be compatible. Datto recommends performing periodic local virtualizations and file restores to test the boot and restore integrity of full-disk encryption backups.

Encrypted Windows Boot Files - Datto does not recommend encrypting Windows boot files, because this type of encryption might affect the bootability of the protected system in a restore scenario.

Depending on the level of encryption in use on the production machine, restore options may be more limited in nature. If the encryption is at the drive level, and the drive is unlocked, or we are able to back it up in an unencrypted state, there should be no limitation on restores.

If you are backing up a volume using file-level/block level encryption or duplication, certain granular restores such as file restores will not work properly.

Additional Resources

Overview of managed disk encryption options (external link)

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.