We are announcing the public preview of confidential temp disk encryption for confidential VMs. Until recently, confidential encryption has only been available for OS disks. It binds the disk encryption keys to the virtual machine’s TPM (Trusted Platform Module) and makes the disk content accessible only to the VM. With this release, we are extending this protection by enabling encryption of the temp disk, using in-VM symmetric key encryption technology, after the disk is attached to the confidential VM (CVM).
Most CVMs contain a temp disk, which is not a managed disk. On Azure Linux VMs, the temp disk is typically /dev/sdb and on Windows VMs the temp disk is ':D' by default. The temp disk provides fast, local, and short-term storage for applications and processes. It is intended to only store data such as page files, log files, cached data, and other types of temporary data. Temp disks on CVMs contain the page file, also known as swap file, that can contain sensitive data. Without encryption, data on these disks may be accessible to the host. After enabling this feature, data on the temp disks is no longer exposed to the host.
This feature can be enabled for confidential VMs through an opt-in process described below.
Prerequisite:
The OS disk needs to be confidentially encrypted at the time of CVM creation.
Instructions:
Step 1: Create a confidential VM.
Create a CVM using Create a confidential VM in the Azure portal | Microsoft Learn.
Note: Use a SKU that provides temporary storage (DCadsv5, DCedsv5, ECadsv5, or ECedsv5-series)
Step 2: Enable confidential OS Disk Encryption (mandatory).
During the CVM creation process, scroll to the 'Disks' section and configure the following settings:
- Under Disk options, enable Confidential compute encryption to encrypt your VM's OS disk during creation. This is not an optional step.
- For Confidential compute encryption type, select the type of encryption to use.
- If Confidential disk encryption with a customer-managed key is selected, create a Confidential disk encryption set before creating your confidential VM.
Step 3: Install ADE extension.
Note: Make sure you have Az module installed: Install the Azure Az PowerShell module | Microsoft Learn
Install ADE extension:
- Azure Disk Encryption scenarios on Linux VMs
- Azure Disk Encryption prerequisites CLI script
- Azure Disk Encryption prerequisites PowerShell script
Optionally, you can run the following PowerShell scripts directly:
- PS script for Windows: confidential-computing-cvm-guest-attestation/cvm-datadisk-enc-scripts/CVM-enable-conftempdiskenc-Win.ps1 at main · Azure/confidential-computing-cvm-guest-attestation · GitHub
- PS script for Linux: confidential-computing-cvm-guest-attestation/cvm-datadisk-enc-scripts/CVM-enable-conftempdiskenc-Lnx.ps1 at main · Azure/confidential-computing-cvm-guest-attestation · GitHub
Confidential Temp Disk Encryption is enabled.
No action needed. The temp disk is encrypted by default once you enable the Azure Disk Encryption (ADE) extension.
Step 4: Check the storage layout for encrypted temp disk.
Connect to the CVM using RDP, SSH, etc. Check the storage layout and the temp disk should be encrypted.
- For Linux: lsblk
- For Windows: DiskMgmt.msc