Server side encryption of Azure managed disks and customer managed keys

Frequent Contributor

Microsoft recently announced the availability for server side encryption with customer managed keys for Azure managed disks. This gives the end user full control of their keys via Azure Key Vault. This addresses any compliance needs that require you to rotate your encryption keys without impacting the availability or performance of your VM's.  This is currently available for premium SSD's, standard SSD's, and standard HDD's in public regions and Azure Government regions. Support for ultra SSD's is currently only available in East US, and West US 2. 


Announcement -


Some important things to keep in mind as restrictions are if you enable this for the managed disk it cannot be disabled. You will have to copy the data from one disk to another that is not utilizing managed keys. All resources related to the customer managed keys must be in the same subscription and in the same region. This includes Azure Key Vaults, Disk Encryption Sets, VM's, Disks, and Snapshots. 


This feature can be utilized for an existing VM if the machine is powered off and de-allocated. 


Annotation 2020-05-08 085017.png

It can also be enabled during the creation of the VM. 


Annotation 2020-05-08 085232.png

All in all this is a great platform feature that Microsoft has rolled out in response to the ever changing compliance needs of their customers. I highly suggest taking it for a test drive and incorporating it in your overall strategy when utilizing IAAS VM's in Azure. 



0 Replies