learn.microsoft.com
Open in
urlscan Pro
2a02:26f0:3100:1a4::3544
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
Submission: On July 30 via api from US — Scanned from DE
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
Submission: On July 30 via api from US — Scanned from DE
Form analysis
3 forms found in the DOMName: site-header-search-form-mobile — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>
Name: site-header-search-form — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>
javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>
Text Content
Skip to main content We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. You may change your selection by clicking “Manage Cookies” at the bottom of the page. Privacy Statement Third-Party Cookies Accept Reject Manage cookies This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Download Microsoft Edge More info about Internet Explorer and Microsoft Edge Learn Suggestions will filter as you type Sign in * Profile * Settings Sign out Learn * Discover * Documentation In-depth articles on Microsoft developer tools and technologies * Training Personalized learning paths and courses * Credentials Globally recognized, industry-endorsed credentials * Q&A Technical questions and answers moderated by Microsoft * Code Samples Code sample library for Microsoft developer tools and technologies * Assessments Interactive, curated guidance and recommendations * Shows Thousands of hours of original programming from Microsoft experts Microsoft Learn for Organizations Boost your team's technical skills Access curated resources to upskill your team and close skills gaps. * Product documentation * ASP.NET * Azure * Dynamics 365 * Microsoft 365 * Microsoft Edge * Microsoft Entra * Microsoft Graph * Microsoft Intune * Microsoft Purview * Microsoft Teams * .NET * Power Apps * Power Automate * Power BI * Power Platform * PowerShell * SQL * Sysinternals * Visual Studio * Windows * Windows Server View all products Microsoft Learn for Organizations Boost your team's technical skills Access curated resources to upskill your team and close skills gaps. * Development languages * C++ * C# * DAX * Java * OData * OpenAPI * Power Query M * VBA Microsoft Learn for Organizations Boost your team's technical skills Access curated resources to upskill your team and close skills gaps. * Topics * Artificial intelligence * Compliance * DevOps * Platform engineering * Security Microsoft Learn for Organizations Boost your team's technical skills Access curated resources to upskill your team and close skills gaps. Suggestions will filter as you type Sign in * Profile * Settings Sign out Azure * Products * Popular products * Azure AI Services * Azure App Service * Azure Databricks * Azure DevOps * Azure Functions * Azure Monitor * Azure Virtual Machines * Popular categories * Compute * Networking * Storage * AI & machine learning * Analytics * Databases * Security * View all products * Architecture * Cloud Adoption Framework * Well-Architected Framework * Azure Architecture Center * Develop * Python * .NET * JavaScript * Java * PowerShell * Azure CLI * View all developer resources * Learn Azure * Start your AI learning assessment * Top learning paths * Cloud concepts * AI fundamentals * Intro to generative AI * Azure Architecture fundamentals * Earn credentials * Instructor-led courses * View all training * Troubleshooting * Resources * Product overview * Latest blog posts * Pricing information * Support options * More * Products * Popular products * Azure AI Services * Azure App Service * Azure Databricks * Azure DevOps * Azure Functions * Azure Monitor * Azure Virtual Machines * Popular categories * Compute * Networking * Storage * AI & machine learning * Analytics * Databases * Security * View all products * Architecture * Cloud Adoption Framework * Well-Architected Framework * Azure Architecture Center * Develop * Python * .NET * JavaScript * Java * PowerShell * Azure CLI * View all developer resources * Learn Azure * Start your AI learning assessment * Top learning paths * Cloud concepts * AI fundamentals * Intro to generative AI * Azure Architecture fundamentals * Earn credentials * Instructor-led courses * View all training * Troubleshooting * Resources * Product overview * Latest blog posts * Pricing information * Support options Portal Free account Table of contents Exit focus mode Search Suggestions will filter as you type * Virtual Machines Documentation * Overview * Quickstarts * Create a Linux VM * Create a Windows VM * Create a Virtual Machine Scale Set * Tutorials * Develop * Workloads * Instances * Availability and scale * Disks * Overview * Disk types * Understand Disk Storage billing * Disk redundancy options * What's new in Azure Disk Storage * Deploy an ultra disk * Deploy a premium SSD v2 * Deploy a ZRS disk * Best practices for achieving high availability * Share a disk between VMs * Encryption * Disk encryption overview * Server-side encryption * Azure Disk Encryption * Performance and cost optimization * Scalability targets for disks * Backup and data protection * Ephemeral OS disks * Securely import/export a disk * Migration and conversion * Create resources * Add a data disk * Detach a disk * Expand a disk * Manage storage * Networking * Security * Updates and maintenance * Monitoring * Backup and recovery * Reliability in Virtual Machines * Infrastructure automation * Cost optimization * Resources * Support and troubleshooting Download PDF 1. Learn 2. Azure 3. Virtual Machines 1. Learn 2. Azure 3. Virtual Machines Read in English Save * Add to Collections * Add to Plan * Add to Challenges Table of contents Read in English Add to Collections Add to Plan Edit -------------------------------------------------------------------------------- SHARE VIA Facebook x.com LinkedIn Email -------------------------------------------------------------------------------- Print Table of contents OVERVIEW OF MANAGED DISK ENCRYPTION OPTIONS * Article * 07/17/2024 * 7 contributors Feedback IN THIS ARTICLE 1. Comparison 2. Next steps There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host. * Azure Disk Storage Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption) is always enabled and automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters. When configured with a Disk Encryption Set (DES), it supports customer-managed keys as well. It doesn't encrypt temp disks or disk caches. For full details, see Server-side encryption of Azure Disk Storage. * Encryption at host is a Virtual Machine option that enhances Azure Disk Storage Server-Side Encryption to ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters. For full details, see Encryption at host - End-to-end encryption for your VM data. * Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, with the option to encrypt with a key encryption key (KEK). For full details, see Azure Disk Encryption for Linux VMs or Azure Disk Encryption for Windows VMs. * Confidential disk encryption binds disk encryption keys to the virtual machine's TPM and makes the protected disk content accessible only to the VM. The TPM and VM guest state is always encrypted in attested code using keys released by a secure protocol that bypasses the hypervisor and host operating system. Currently only available for the OS disk; temp disk support is in preview. Encryption at host may be used for other disks on a Confidential VM in addition to Confidential Disk Encryption. For full details, see DCasv5 and ECasv5 series confidential VMs. Encryption is part of a layered approach to security and should be used with other recommendations to secure Virtual Machines and their disks. For full details, see Security recommendations for virtual machines in Azure and Restrict import/export access to managed disks. COMPARISON Here's a comparison of Disk Storage SSE, ADE, encryption at host, and Confidential disk encryption. Expand table Azure Disk Storage Server-Side Encryption Encryption at Host Azure Disk Encryption Confidential disk encryption (For the OS disk only) Encryption at rest (OS and data disks) ✅ ✅ ✅ ✅ Temp disk encryption ❌ ✅ Only supported with platform managed key ✅ ✅ In Preview Encryption of caches ❌ ✅ ✅ ✅ Data flows encrypted between Compute and Storage ❌ ✅ ✅ ✅ Customer control of keys ✅ When configured with DES ✅ When configured with DES ✅ When configured with KEK ✅ When configured with DES HSM Support Azure Key Vault Premium and Managed HSM Azure Key Vault Premium and Managed HSM Azure Key Vault Premium Azure Key Vault Premium and Managed HSM Does not use your VM's CPU ✅ ✅ ❌ ❌ Works for custom images ✅ ✅ ❌ Does not work for custom Linux images ✅ Enhanced Key Protection ❌ ❌ ❌ ✅ Microsoft Defender for Cloud disk encryption status* Unhealthy Healthy Healthy Not applicable Important For Confidential disk encryption, Microsoft Defender for Cloud does not currently have a recommendation that is applicable. * Microsoft Defender for Cloud has the following disk encryption recommendations: * Virtual machines and virtual machine scale sets should have encryption at host enabled (Only detects Encryption at Host) * Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (Only detects Azure Disk Encryption) * Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (Detects both Azure Disk Encryption and EncryptionAtHost) * Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (Detects both Azure Disk Encryption and EncryptionAtHost) NEXT STEPS * Azure Disk Encryption for Linux VMs * Azure Disk Encryption for Windows VMs * Server-side encryption of Azure Disk Storage * Encryption at host * DCasv5 and ECasv5 series confidential VMs * Azure Security Fundamentals - Azure encryption overview -------------------------------------------------------------------------------- FEEDBACK Was this page helpful? Yes No Provide product feedback | Get help at Microsoft Q&A FEEDBACK Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback. Submit and view feedback for This product This page View all page feedback -------------------------------------------------------------------------------- ADDITIONAL RESOURCES -------------------------------------------------------------------------------- Training Module Secure your Azure virtual machine disks - Training Explore the options for Azure disk encryption to encrypt OS and data disks on existing and new virtual machines. Certification Microsoft Certified: Azure Security Engineer Associate - Certifications Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices Theme * Light * Dark * High contrast * Manage cookies * Previous Versions * Blog * Contribute * Privacy * Terms of Use * Trademarks * © Microsoft 2024 ADDITIONAL RESOURCES -------------------------------------------------------------------------------- Training Module Secure your Azure virtual machine disks - Training Explore the options for Azure disk encryption to encrypt OS and data disks on existing and new virtual machines. Certification Microsoft Certified: Azure Security Engineer Associate - Certifications Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities. IN THIS ARTICLE English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices Theme * Light * Dark * High contrast * Manage cookies * Previous Versions * Blog * Contribute * Privacy * Terms of Use * Trademarks * © Microsoft 2024