learn.microsoft.com
Open in
urlscan Pro
23.222.198.32
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
Submission: On August 06 via api from US — Scanned from CA
Effective URL: https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
Submission: On August 06 via api from US — Scanned from CA
Form analysis 3 forms found in the DOM
Name: site-header-search-form-mobile — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: site-header-search-form — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Learn
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
* Discover
* Documentation
In-depth articles on Microsoft developer tools and technologies
* Training
Personalized learning paths and courses
* Credentials
Globally recognized, industry-endorsed credentials
* Q&A
Technical questions and answers moderated by Microsoft
* Code Samples
Code sample library for Microsoft developer tools and technologies
* Assessments
Interactive, curated guidance and recommendations
* Shows
Thousands of hours of original programming from Microsoft experts
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Product documentation
* ASP.NET
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Edge
* Microsoft Entra
* Microsoft Graph
* Microsoft Intune
* Microsoft Purview
* Microsoft Teams
* .NET
* Power Apps
* Power Automate
* Power BI
* Power Platform
* PowerShell
* SQL
* Sysinternals
* Visual Studio
* Windows
* Windows Server
View all products
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Development languages
* C++
* C#
* DAX
* Java
* OData
* OpenAPI
* Power Query M
* VBA
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Topics
* Artificial intelligence
* Compliance
* DevOps
* Platform engineering
* Security
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Azure
* Products
* Popular products
* Azure AI Services
* Azure App Service
* Azure Databricks
* Azure DevOps
* Azure Functions
* Azure Monitor
* Azure Virtual Machines
* Popular categories
* Compute
* Networking
* Storage
* AI & machine learning
* Analytics
* Databases
* Security
* View all products
* Architecture
* Cloud Adoption Framework
* Well-Architected Framework
* Azure Architecture Center
* Develop
* Python
* .NET
* JavaScript
* Java
* PowerShell
* Azure CLI
* View all developer resources
* Learn Azure
* Start your AI learning assessment
* Top learning paths
* Cloud concepts
* AI fundamentals
* Intro to generative AI
* Azure Architecture fundamentals
* Earn credentials
* Instructor-led courses
* View all training
* Troubleshooting
* Resources
* Product overview
* Latest blog posts
* Pricing information
* Support options
* More
* Products
* Popular products
* Azure AI Services
* Azure App Service
* Azure Databricks
* Azure DevOps
* Azure Functions
* Azure Monitor
* Azure Virtual Machines
* Popular categories
* Compute
* Networking
* Storage
* AI & machine learning
* Analytics
* Databases
* Security
* View all products
* Architecture
* Cloud Adoption Framework
* Well-Architected Framework
* Azure Architecture Center
* Develop
* Python
* .NET
* JavaScript
* Java
* PowerShell
* Azure CLI
* View all developer resources
* Learn Azure
* Start your AI learning assessment
* Top learning paths
* Cloud concepts
* AI fundamentals
* Intro to generative AI
* Azure Architecture fundamentals
* Earn credentials
* Instructor-led courses
* View all training
* Troubleshooting
* Resources
* Product overview
* Latest blog posts
* Pricing information
* Support options
Portal Free account
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Virtual Machines Documentation
* Overview
* Quickstarts
* Create a Linux VM
* Create a Windows VM
* Create a Virtual Machine Scale Set
* Tutorials
* Develop
* Workloads
* Instances
* Availability and scale
* Disks
* Overview
* Disk types
* Understand Disk Storage billing
* Disk redundancy options
* What's new in Azure Disk Storage
* Deploy an ultra disk
* Deploy a premium SSD v2
* Deploy a ZRS disk
* Best practices for achieving high availability
* Share a disk between VMs
* Encryption
* Disk encryption overview
* Server-side encryption
* Server-side encryption overview
* Enable customer-managed keys
* Portal
* PowerShell
* CLI
* Use customer-managed keys across Microsoft Entra tenants
* Enable encryption at host
* Enable double encryption at rest
* Azure Disk Encryption
* Performance and cost optimization
* Scalability targets for disks
* Backup and data protection
* Ephemeral OS disks
* Securely import/export a disk
* Migration and conversion
* Create resources
* Add a data disk
* Detach a disk
* Expand a disk
* Manage storage
* Networking
* Security
* Updates and maintenance
* Monitoring
* Backup and recovery
* Reliability in Virtual Machines
* Infrastructure automation
* Cost optimization
* Resources
* Support and troubleshooting
1. Learn
2. Azure
3. Virtual Machines
1. Learn
2. Azure
3. Virtual Machines
Read in English Save
* Add to Collections
* Add to Plan
* Add to Challenges
Table of contents Read in English Add to Collections Add to Plan Edit
--------------------------------------------------------------------------------
SHARE VIA
Facebook x.com LinkedIn Email
--------------------------------------------------------------------------------
Print
Table of contents
USE THE AZURE PORTAL TO ENABLE SERVER-SIDE ENCRYPTION WITH CUSTOMER-MANAGED KEYS
FOR MANAGED DISKS
* How-to
* 08/02/2023
* 3 contributors
Feedback
IN THIS ARTICLE
1. Prerequisites
2. Restrictions
3. Set up your Azure Key Vault
4. Set up your disk encryption set
5. Deploy a VM
6. Enable on an existing disk
7. Related content
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️
Azure Disk Storage allows you to manage your own keys when using server-side
encryption (SSE) for managed disks, if you choose. For conceptual information on
SSE with customer managed keys, and other managed disk encryption types, see the
Customer-managed keys section of our disk encryption article: Customer-managed
keys
PREREQUISITES
None
RESTRICTIONS
For now, customer-managed keys have the following restrictions:
* If this feature is enabled for a disk with incremental snapshots, it can't be
disabled on that disk or its snapshots. To work around this, copy all the
data to an entirely different managed disk that isn't using customer-managed
keys. You can do that with either the Azure CLI or the Azure PowerShell
module.
* Only software and HSM RSA keys of sizes 2,048-bit, 3,072-bit and 4,096-bit
are supported, no other keys or sizes.
* HSM keys require the premium tier of Azure Key vaults.
* For Ultra Disks and Premium SSD v2 disks only:
* Snapshots created from disks that are encrypted with server-side encryption
and customer-managed keys must be encrypted with the same customer-managed
keys.
* User-assigned managed identities aren't supported for Ultra Disks and
Premium SSD v2 disks encrypted with customer-managed keys.
* Not currently supported in Azure Government or Azure China.
* Most resources related to your customer-managed keys (disk encryption sets,
VMs, disks, and snapshots) must be in the same subscription and region.
* Azure Key Vaults may be used from a different subscription but must be in
the same region as your disk encryption set. As a preview, you can use
Azure Key Vaults from different Microsoft Entra tenants.
* Disks encrypted with customer-managed keys can only move to another resource
group if the VM they are attached to is deallocated.
* Disks, snapshots, and images encrypted with customer-managed keys can't be
moved between subscriptions.
* Managed disks currently or previously encrypted using Azure Disk Encryption
can't be encrypted using customer-managed keys.
* Can only create up to 5000 disk encryption sets per region per subscription.
* For information about using customer-managed keys with shared image
galleries, see Preview: Use customer-managed keys for encrypting images.
The following sections cover how to enable and use customer-managed keys for
managed disks:
Setting up customer-managed keys for your disks requires you to create resources
in a particular order, if you're doing it for the first time. First, you'll need
to create and set up an Azure Key Vault.
SET UP YOUR AZURE KEY VAULT
1. Sign in to the Azure portal.
2. Search for and select Key Vaults.
Important
Your disk encryption set, VM, disks, and snapshots must all be in the same
region and subscription for deployment to succeed. Azure Key Vaults may be
used from a different subscription but must be in the same region and
tenant as your disk encryption set.
3. Select +Create to create a new Key Vault.
4. Create a new resource group.
5. Enter a key vault name, select a region, and select a pricing tier.
Note
When creating the Key Vault instance, you must enable soft delete and purge
protection. Soft delete ensures that the Key Vault holds a deleted key for
a given retention period (90 day default). Purge protection ensures that a
deleted key cannot be permanently deleted until the retention period
lapses. These settings protect you from losing data due to accidental
deletion. These settings are mandatory when using a Key Vault for
encrypting managed disks.
6. Select Review + Create, verify your choices, then select Create.
7. Once your key vault finishes deploying, select it.
8. Select Keys under Objects.
9. Select Generate/Import.
10. Leave both Key Type set to RSA and RSA Key Size set to 2048.
11. Fill in the remaining selections as you like and then select Create.
ADD AN AZURE RBAC ROLE
Now that you've created the Azure key vault and a key, you must add an Azure
RBAC role, so you can use your Azure key vault with your disk encryption set.
1. Select Access control (IAM) and add a role.
2. Add either the Key Vault Administrator, Owner, or Contributor roles.
SET UP YOUR DISK ENCRYPTION SET
1. Search for Disk Encryption Sets and select it.
2. On the Disk Encryption Sets pane, select +Create.
3. Select your resource group, name your encryption set, and select the same
region as your key vault.
4. For Encryption type, select Encryption at-rest with a customer-managed key.
Note
Once you create a disk encryption set with a particular encryption type, it
cannot be changed. If you want to use a different encryption type, you must
create a new disk encryption set.
5. Make sure Select Azure key vault and key is selected.
6. Select the key vault and key you created previously, and the version.
7. If you want to enable automatic rotation of customer managed keys, select
Auto key rotation.
8. Select Review + Create and then Create.
9. Navigate to the disk encryption set once it's deployed, and select the
displayed alert.
10. This will grant your key vault permissions to the disk encryption set.
DEPLOY A VM
Now that you've created and set up your key vault and the disk encryption set,
you can deploy a VM using the encryption. The VM deployment process is similar
to the standard deployment process, the only differences are that you need to
deploy the VM in the same region as your other resources and you opt to use a
customer managed key.
1. Search for Virtual Machines and select + Create to create a VM.
2. On the Basic pane, select the same region as your disk encryption set and
Azure Key Vault.
3. Fill in the other values on the Basic pane as you like.
4. On the Disks pane, for Key management select your disk encryption set, key
vault, and key in the drop-down.
5. Make the remaining selections as you like.
ENABLE ON AN EXISTING DISK
Caution
Enabling disk encryption on any disks attached to a VM requires you to stop the
VM.
1. Navigate to a VM that is in the same region as one of your disk encryption
sets.
2. Open the VM and select Stop.
3. After the VM has finished stopping, select Disks, and then select the disk
you want to encrypt.
4. Select Encryption and under Key management select your key vault and key in
the drop-down list, under Customer-managed key.
5. Select Save.
6. Repeat this process for any other disks attached to the VM you'd like to
encrypt.
7. When your disks finish switching over to customer-managed keys, if there are
no other attached disks you'd like to encrypt, start your VM.
Important
Customer-managed keys rely on managed identities for Azure resources, a feature
of Microsoft Entra ID. When you configure customer-managed keys, a managed
identity is automatically assigned to your resources under the covers. If you
subsequently move the subscription, resource group, or managed disk from one
Microsoft Entra directory to another, the managed identity associated with the
managed disks is not transferred to the new tenant, so customer-managed keys may
no longer work. For more information, see Transferring a subscription between
Microsoft Entra directories.
ENABLE AUTOMATIC KEY ROTATION ON AN EXISTING DISK ENCRYPTION SET
1. Navigate to the disk encryption set that you want to enable automatic key
rotation on.
2. Under Settings, select Key.
3. Select Auto key rotation and select Save.
RELATED CONTENT
* Explore the Azure Resource Manager templates for creating encrypted disks
with customer-managed keys
* What is Azure Key Vault?
* Set up disaster recovery of VMware VMs to Azure with PowerShell
--------------------------------------------------------------------------------
FEEDBACK
Was this page helpful?
Yes No
Provide product feedback |
Get help at Microsoft Q&A
FEEDBACK
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the
feedback mechanism for content and replacing it with a new feedback system. For
more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for
This product This page
View all page feedback
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024
ADDITIONAL RESOURCES
In this article
* Prerequisites
* Restrictions
* Set up your Azure Key Vault
* Set up your disk encryption set
* Deploy a VM
* Enable on an existing disk
* Related content
Show more
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2024