learn.microsoft.com Open in urlscan Pro
2a02:26f0:3100:1a4::3544  Public Scan

Submitted URL: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
Submission: On July 30 via api from US — Scanned from DE

Form analysis 3 forms found in the DOM

Name: site-header-search-form-mobileGET /en-us/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
        data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input 
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

Name: site-header-search-formGET /en-us/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

javascript:

<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control has-icons-left">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
						control has-icons-left
						width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
      <span aria-hidden="true" class="icon is-small is-left">
        <span class="has-text-primary docon docon-filter-settings"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
</form>

Text Content

Skip to main content

We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies

Accept Reject Manage cookies

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Learn
Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out

Learn
   
 * Discover
      
    * Documentation
      
      In-depth articles on Microsoft developer tools and technologies
   
      
    * Training
      
      Personalized learning paths and courses
   
      
    * Credentials
      
      Globally recognized, industry-endorsed credentials
   
      
    * Q&A
      
      Technical questions and answers moderated by Microsoft
   
      
    * Code Samples
      
      Code sample library for Microsoft developer tools and technologies
   
      
    * Assessments
      
      Interactive, curated guidance and recommendations
   
      
    * Shows
      
      Thousands of hours of original programming from Microsoft experts
   
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Product documentation
      
    * ASP.NET
      
    * Azure
      
    * Dynamics 365
      
    * Microsoft 365
      
    * Microsoft Edge
      
    * Microsoft Entra
      
    * Microsoft Graph
      
    * Microsoft Intune
      
    * Microsoft Purview
      
    * Microsoft Teams
      
    * .NET
      
    * Power Apps
      
    * Power Automate
      
    * Power BI
      
    * Power Platform
      
    * PowerShell
      
    * SQL
      
    * Sysinternals
      
    * Visual Studio
      
    * Windows
      
    * Windows Server
      
   
   View all products
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Development languages
      
    * C++
      
    * C#
      
    * DAX
      
    * Java
      
    * OData
      
    * OpenAPI
      
    * Power Query M
      
    * VBA
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Topics
      
    * Artificial intelligence
      
    * Compliance
      
    * DevOps
      
    * Platform engineering
      
    * Security
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   

Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out
Azure
   
 * Products
     
   * Popular products
       
     * Azure AI Services
       
     * Azure App Service
       
     * Azure Databricks
       
     * Azure DevOps
       
     * Azure Functions
       
     * Azure Monitor
       
     * Azure Virtual Machines
       
     
   * Popular categories
       
     * Compute
       
     * Networking
       
     * Storage
       
     * AI & machine learning
       
     * Analytics
       
     * Databases
       
     * Security
       
     
   * View all products
     
   
 * Architecture
     
   * Cloud Adoption Framework
     
   * Well-Architected Framework
     
   * Azure Architecture Center
     
   
 * Develop
     
   * Python
     
   * .NET
     
   * JavaScript
     
   * Java
     
   * PowerShell
     
   * Azure CLI
     
   * View all developer resources
     
   
 * Learn Azure
     
   * Start your AI learning assessment
     
   * Top learning paths
       
     * Cloud concepts
       
     * AI fundamentals
       
     * Intro to generative AI
       
     * Azure Architecture fundamentals
       
     
   * Earn credentials
     
   * Instructor-led courses
     
   * View all training
     
   
 * Troubleshooting
   
 * Resources
     
   * Product overview
     
   * Latest blog posts
     
   * Pricing information
     
   * Support options
     
   
 * More
     
   * Products
       
     * Popular products
         
       * Azure AI Services
         
       * Azure App Service
         
       * Azure Databricks
         
       * Azure DevOps
         
       * Azure Functions
         
       * Azure Monitor
         
       * Azure Virtual Machines
         
       
     * Popular categories
         
       * Compute
         
       * Networking
         
       * Storage
         
       * AI & machine learning
         
       * Analytics
         
       * Databases
         
       * Security
         
       
     * View all products
       
     
   * Architecture
       
     * Cloud Adoption Framework
       
     * Well-Architected Framework
       
     * Azure Architecture Center
       
     
   * Develop
       
     * Python
       
     * .NET
       
     * JavaScript
       
     * Java
       
     * PowerShell
       
     * Azure CLI
       
     * View all developer resources
       
     
   * Learn Azure
       
     * Start your AI learning assessment
       
     * Top learning paths
         
       * Cloud concepts
         
       * AI fundamentals
         
       * Intro to generative AI
         
       * Azure Architecture fundamentals
         
       
     * Earn credentials
       
     * Instructor-led courses
       
     * View all training
       
     
   * Troubleshooting
     
   * Resources
       
     * Product overview
       
     * Latest blog posts
       
     * Pricing information
       
     * Support options
       
     
   

Portal Free account
Table of contents Exit focus mode

Search
Suggestions will filter as you type
 * Virtual Machines Documentation
 * Overview
 * Quickstarts
   * Create a Linux VM
   * Create a Windows VM
   * Create a Virtual Machine Scale Set
 * Tutorials
 * Develop
 * Workloads
 * Instances
 * Availability and scale
 * Disks
   * Overview
   * Disk types
   * Understand Disk Storage billing
   * Disk redundancy options
   * What's new in Azure Disk Storage
   * Deploy an ultra disk
   * Deploy a premium SSD v2
   * Deploy a ZRS disk
   * Best practices for achieving high availability
   * Share a disk between VMs
   * Encryption
     * Disk encryption overview
     * Server-side encryption
     * Azure Disk Encryption
   * Performance and cost optimization
   * Scalability targets for disks
   * Backup and data protection
   * Ephemeral OS disks
   * Securely import/export a disk
   * Migration and conversion
   * Create resources
   * Add a data disk
   * Detach a disk
   * Expand a disk
   * Manage storage
 * Networking
 * Security
 * Updates and maintenance
 * Monitoring
 * Backup and recovery
 * Reliability in Virtual Machines
 * Infrastructure automation
 * Cost optimization
 * Resources
 * Support and troubleshooting

Download PDF
    
 1. Learn
    
    
 2. Azure
    
    
 3. Virtual Machines
    

    
 1. Learn
    
    
 2. Azure
    
    
 3. Virtual Machines
    

Read in English Save
 * Add to Collections
 * Add to Plan
 * Add to Challenges

Table of contents Read in English Add to Collections Add to Plan Edit


--------------------------------------------------------------------------------

SHARE VIA

Facebook x.com LinkedIn Email

--------------------------------------------------------------------------------

Print
Table of contents


OVERVIEW OF MANAGED DISK ENCRYPTION OPTIONS

 * Article
 * 07/17/2024
 * 7 contributors

Feedback


IN THIS ARTICLE

    
 1. Comparison
    
 2. Next steps
    

There are several types of encryption available for your managed disks,
including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and
encryption at host.

 * Azure Disk Storage Server-Side Encryption (also referred to as
   encryption-at-rest or Azure Storage encryption) is always enabled and
   automatically encrypts data stored on Azure managed disks (OS and data disks)
   when persisting on the Storage Clusters. When configured with a Disk
   Encryption Set (DES), it supports customer-managed keys as well. It doesn't
   encrypt temp disks or disk caches. For full details, see Server-side
   encryption of Azure Disk Storage.

 * Encryption at host is a Virtual Machine option that enhances Azure Disk
   Storage Server-Side Encryption to ensure that all temp disks and disk caches
   are encrypted at rest and flow encrypted to the Storage clusters. For full
   details, see Encryption at host - End-to-end encryption for your VM data.

 * Azure Disk Encryption helps protect and safeguard your data to meet your
   organizational security and compliance commitments. ADE encrypts the OS and
   data disks of Azure virtual machines (VMs) inside your VMs by using the
   DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is
   integrated with Azure Key Vault to help you control and manage the disk
   encryption keys and secrets, with the option to encrypt with a key encryption
   key (KEK). For full details, see Azure Disk Encryption for Linux VMs or Azure
   Disk Encryption for Windows VMs.

 * Confidential disk encryption binds disk encryption keys to the virtual
   machine's TPM and makes the protected disk content accessible only to the VM.
   The TPM and VM guest state is always encrypted in attested code using keys
   released by a secure protocol that bypasses the hypervisor and host operating
   system. Currently only available for the OS disk; temp disk support is in
   preview. Encryption at host may be used for other disks on a Confidential VM
   in addition to Confidential Disk Encryption. For full details, see DCasv5 and
   ECasv5 series confidential VMs.

Encryption is part of a layered approach to security and should be used with
other recommendations to secure Virtual Machines and their disks. For full
details, see Security recommendations for virtual machines in Azure and Restrict
import/export access to managed disks.


COMPARISON

Here's a comparison of Disk Storage SSE, ADE, encryption at host, and
Confidential disk encryption.

Expand table

  Azure Disk Storage Server-Side Encryption Encryption at Host Azure Disk
Encryption Confidential disk encryption (For the OS disk only) Encryption at
rest (OS and data disks) ✅ ✅ ✅ ✅ Temp disk encryption ❌ ✅ Only supported with
platform managed key ✅ ✅ In Preview Encryption of caches ❌ ✅ ✅ ✅ Data flows
encrypted between Compute and Storage ❌ ✅ ✅ ✅ Customer control of keys ✅ When
configured with DES ✅ When configured with DES ✅ When configured with KEK ✅ When
configured with DES HSM Support Azure Key Vault Premium and Managed HSM Azure
Key Vault Premium and Managed HSM Azure Key Vault Premium Azure Key Vault
Premium and Managed HSM Does not use your VM's CPU ✅ ✅ ❌ ❌ Works for custom
images ✅ ✅ ❌ Does not work for custom Linux images ✅ Enhanced Key Protection ❌ ❌
❌ ✅ Microsoft Defender for Cloud disk encryption status* Unhealthy Healthy
Healthy Not applicable

Important

For Confidential disk encryption, Microsoft Defender for Cloud does not
currently have a recommendation that is applicable.

* Microsoft Defender for Cloud has the following disk encryption
recommendations:

 * Virtual machines and virtual machine scale sets should have encryption at
   host enabled (Only detects Encryption at Host)
 * Virtual machines should encrypt temp disks, caches, and data flows between
   Compute and Storage resources (Only detects Azure Disk Encryption)
 * Windows virtual machines should enable Azure Disk Encryption or
   EncryptionAtHost (Detects both Azure Disk Encryption and EncryptionAtHost)
 * Linux virtual machines should enable Azure Disk Encryption or
   EncryptionAtHost (Detects both Azure Disk Encryption and EncryptionAtHost)


NEXT STEPS

 * Azure Disk Encryption for Linux VMs
 * Azure Disk Encryption for Windows VMs
 * Server-side encryption of Azure Disk Storage
 * Encryption at host
 * DCasv5 and ECasv5 series confidential VMs
 * Azure Security Fundamentals - Azure encryption overview





--------------------------------------------------------------------------------


FEEDBACK

Was this page helpful?

Yes No
Provide product feedback |
Get help at Microsoft Q&A


FEEDBACK

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the
feedback mechanism for content and replacing it with a new feedback system. For
more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page
View all page feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES



--------------------------------------------------------------------------------

Training

Module

Secure your Azure virtual machine disks - Training

Explore the options for Azure disk encryption to encrypt OS and data disks on
existing and new virtual machines.

Certification

Microsoft Certified: Azure Security Engineer Associate - Certifications

Demonstrate the skills needed to implement security controls, maintain an
organization’s security posture, and identify and remediate security
vulnerabilities.



English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024


ADDITIONAL RESOURCES



--------------------------------------------------------------------------------

Training

Module

Secure your Azure virtual machine disks - Training

Explore the options for Azure disk encryption to encrypt OS and data disks on
existing and new virtual machines.

Certification

Microsoft Certified: Azure Security Engineer Associate - Certifications

Demonstrate the skills needed to implement security controls, maintain an
organization’s security posture, and identify and remediate security
vulnerabilities.




IN THIS ARTICLE



English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024