Customer Managed Keys for Azure VMware Solution
Published Mar 09 2023 04:19 PM 1,333 Views

Azure VMware Solution encryption with customer-managed keys is now Generally Available. Customer-managed keys give customers maximum control over their encrypted vSAN data on Azure VMware Solution. With this feature, customers can use Azure Key Vault to generate customer managed keys and centralize the key management process.


Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure.


Azure VMware Solution provides default data at rest encryption for private cloud’s vSAN datastore, and it is performed with service-managed keys, automatically and transparently managed by Microsoft. However, many industries require data that not only encrypted data at rest but do so by using encryption keys that customers have full control over as per regulations and compliance requirement. Customer-managed keys don’t disable default vSAN datastore encryption. Instead, they add a second layer of encryption on top of the default one. This means that customer-managed keys also deliver double encryption, a feature that is sometimes part of the same compliance requirements.




Azure VMware Solution customers need to enable system-assigned managed identity on their private cloud to access keys within customer owned Azure Key Vault. A user with required permission on Azure Key Vault must first grant Get, wrap key, and unwrap key permissions to private cloud managed identity. Customer can revoke access anytime by removing Azure VMware Solution’s access to customer-owned Azure Key Vault or disabling keys used for private cloud encryption, making it impossible for Azure VMware Solution to read or write any data within customer’s private cloud. Moreover, customers can use Azure Key Vault monitoring to ensure only Azure VMware Solution is accessing keys.



  • Full control of data access via the ability to remove the key and make the private cloud data inaccessible.
  • Full control over the key lifecycle, including rotation of the key to aligning with corporate policies.
  • Central management and organization of keys in Azure Key Vault



If you are interested in the Customer-managed Key for Azure VMware Solution, please use these resources to learn more about the service:


Author Bio

Rahi Patel is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in infrastructure architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. 

Version history
Last update:
‎Mar 09 2023 06:58 AM
Updated by: