urlscan.io logo urlscan.io
SecurityTrails logo

docs.microsoft.com Open in urlscan Pro
2a02:26f0:7100:2ae::353e  Public Scan

Back to summary
URL: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
Submission: On May 05 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="feedback-verbatim-form width-250-tablet" data-feedback-verbatim-form="" id="main-page-rating-container">
  <div class="binary-rating-buttons">
    <h3 id="binary-rating-heading" class="font-weight-semibold margin-top-none margin-bottom-xs font-size-h5 has-caret">Is this page helpful?</h3>
    <div class="buttons">
      <button class="thumb-rating like margin-right-xxs button button-clear button-sm" data-binary-rating-response="rating-yes" title="Yes" type="button" data-bi-name="rating-yes" data-bi-sat="1">
        <span aria-hidden="true" class="icon docon docon-like"></span>
        <span>Yes</span>
      </button>
      <button class="thumb-rating dislike button button-clear button-sm" data-binary-rating-response="rating-no" title="No" data-bi-name="rating-no" type="button" data-bi-sat="0">
        <span aria-hidden="true" class="icon docon docon-dislike"></span>
        <span>No</span>
      </button>
    </div>
  </div>
  <div id="binary-verbatim-container" class="font-size-xs margin-top-xs">
    <div class="verbatim-textarea">
      <label for="binary-rating-textarea" class="visually-hidden"> Any additional feedback? </label>
      <textarea id="binary-rating-textarea" data-binary-rating-text="" rows="4" maxlength="999" placeholder="Any additional feedback?" class="textarea has-inner-focus"></textarea>
    </div>
    <p class="has-line-height-reset">Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
      <a href="https://privacy.microsoft.com/en-us/privacystatement">Privacy policy.</a></p>
    <div class="buttons buttons-right margin-top-xs margin-right-xxs">
      <button class="submit-rating button button-primary button-filled button-sm" data-bi-name="rating-verbatim" data-binary-rating-submit="" type="submit" disabled="">Submit</button>
    </div>
  </div>
</form>

Text Content

Skip to main content


This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info

Table of contents Exit focus mode

Read in English Save
Table of contents Read in English Save Feedback Edit

Twitter LinkedIn Facebook Email
Table of contents


USE THE AZURE PORTAL TO ENABLE SERVER-SIDE ENCRYPTION WITH CUSTOMER-MANAGED KEYS
FOR MANAGED DISKS

 * Article
 * 09/27/2021
 * 5 minutes to read
 * 3 contributors


IS THIS PAGE HELPFUL?

Yes No
Any additional feedback?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback
will be used to improve Microsoft products and services. Privacy policy.

Submit

Thank you.


IN THIS ARTICLE

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️

Azure Disk Storage allows you to manage your own keys when using server-side
encryption (SSE) for managed disks, if you choose. For conceptual information on
SSE with customer managed keys, as well as other managed disk encryption types,
see the Customer-managed keys section of our disk encryption article:
Customer-managed keys


RESTRICTIONS

For now, customer-managed keys have the following restrictions:

 * If this feature is enabled for your disk, you cannot disable it. If you need
   to work around this, you must copy all the data to an entirely different
   managed disk that isn't using customer-managed keys:
   
   * For Linux: Copy a managed disk
   
   * For Windows: Copy a managed disk

 * Only software and HSM RSA keys of sizes 2,048-bit, 3,072-bit and 4,096-bit
   are supported, no other keys or sizes.
   * HSM keys require the premium tier of Azure Key vaults.
 * Disks created from custom images that are encrypted using server-side
   encryption and customer-managed keys must be encrypted using the same
   customer-managed keys and must be in the same subscription.
 * Snapshots created from disks that are encrypted with server-side encryption
   and customer-managed keys must be encrypted with the same customer-managed
   keys.
 * Most resources related to your customer-managed keys (disk encryption sets,
   VMs, disks, and snapshots) must be in the same subscription and region.
   * Azure Key Vaults may be used from a different subscription but must be in
     the same region and tenant as your disk encryption set.
 * Disks, snapshots, and images encrypted with customer-managed keys cannot move
   to another resource group and subscription.
 * Managed disks currently or previously encrypted using Azure Disk Encryption
   cannot be encrypted using customer-managed keys.
 * Can only create up to 1000 disk encryption sets per region per subscription.
 * For information about using customer-managed keys with shared image
   galleries, see Preview: Use customer-managed keys for encrypting images.

The following sections cover how to enable and use customer-managed keys for
managed disks:

Setting up customer-managed keys for your disks will require you to create
resources in a particular order, if you're doing it for the first time. First,
you will need to create and set up an Azure Key Vault.


SET UP YOUR AZURE KEY VAULT

 1.  Sign into the Azure portal.

 2.  Search for and select Key Vaults.
     
     
     
     Important
     
     Your Azure key vault, disk encryption set, VM, disks, and snapshots must
     all be in the same region and subscription for deployment to succeed.

 3.  Select +Create to create a new Key Vault.

 4.  Create a new resource group.

 5.  Enter a key vault name, select a region, and select a pricing tier.
     
     Note
     
     When creating the Key Vault instance, you must enable soft delete and purge
     protection. Soft delete ensures that the Key Vault holds a deleted key for
     a given retention period (90 day default). Purge protection ensures that a
     deleted key cannot be permanently deleted until the retention period
     lapses. These settings protect you from losing data due to accidental
     deletion. These settings are mandatory when using a Key Vault for
     encrypting managed disks.

 6.  Select Review + Create, verify your choices, then select Create.
     
     

 7.  Once your key vault finishes deploying, select it.

 8.  Select Keys under Settings.

 9.  Select Generate/Import.
     
     

 10. Leave both Key Type set to RSA and RSA Key Size set to 2048.

 11. Fill in the remaining selections as you like and then select Create.
     
     


ADD AN AZURE RBAC ROLE

Now that you've created the Azure key vault and a key, you must add an Azure
RBAC role, so you can use your Azure key vault with your disk encryption set.

 1. Select Access control (IAM) and add a role.
 2. Add either the Key Vault Administrator, Owner, or Contributor roles.


SET UP YOUR DISK ENCRYPTION SET

 1.  Search for Disk Encryption Sets and select it.

 2.  On the Disk Encryption Sets pane select +Create.

 3.  Select your resource group, name your encryption set, and select the same
     region as your key vault.

 4.  For SSE Encryption type, select Encryption at-rest with a customer-managed
     key.
     
     Note
     
     Once you create a disk encryption set with a particular encryption type, it
     cannot be changed. If you want to use a different encryption type, you must
     create a new disk encryption set.

 5.  Select Click to select a key.

 6.  Select the key vault and key you created previously, and the version.

 7.  Press Select.

 8.  If you want to enable automatic rotation of customer managed keys, select
     Auto key rotation.

 9.  Select Review + Create and then Create.
     
     

 10. Navigate to the disk encryption set once it is deployed, and select the
     displayed alert.
     
     

 11. This will grant your key vault permissions to the disk encryption set.
     
     


DEPLOY A VM

Now that you've created and set up your key vault and the disk encryption set,
you can deploy a VM using the encryption. The VM deployment process is similar
to the standard deployment process, the only differences are that you need to
deploy the VM in the same region as your other resources and you opt to use a
customer managed key.

 1. Search for Virtual Machines and select + Add to create a VM.

 2. On the Basic blade, select the same region as your disk encryption set and
    Azure Key Vault.

 3. Fill in the other values on the Basic blade as you like.
    
    

 4. On the Disks blade, select Encryption at rest with a customer-managed key.

 5. Select your disk encryption set in the Disk encryption set drop-down.

 6. Make the remaining selections as you like.
    
    


ENABLE ON AN EXISTING DISK

Caution

Enabling disk encryption on any disks attached to a VM will require that you
stop the VM.

 1. Navigate to a VM that is in the same region as one of your disk encryption
    sets.

 2. Open the VM and select Stop.
    
    

 3. After the VM has finished stopping, select Disks and then select the disk
    you want to encrypt.
    
    

 4. Select Encryption and select Encryption at rest with a customer-managed key
    and then select your disk encryption set in the drop-down list.

 5. Select Save.
    
    

 6. Repeat this process for any other disks attached to the VM you'd like to
    encrypt.

 7. When your disks finish switching over to customer-managed keys, if there are
    no there no other attached disks you'd like to encrypt, you may start your
    VM.

Important

Customer-managed keys rely on managed identities for Azure resources, a feature
of Azure Active Directory (Azure AD). When you configure customer-managed keys,
a managed identity is automatically assigned to your resources under the covers.
If you subsequently move the subscription, resource group, or managed disk from
one Azure AD directory to another, the managed identity associated with the
managed disks is not transferred to the new tenant, so customer-managed keys may
no longer work. For more information, see Transferring a subscription between
Azure AD directories.


ENABLE AUTOMATIC KEY ROTATION ON AN EXISTING DISK ENCRYPTION SET

 1. Navigate to the disk encryption set that you want to enable automatic key
    rotation on.
 2. Under Settings, select Key.
 3. Select Auto key rotation and select Save.


NEXT STEPS

 * Explore the Azure Resource Manager templates for creating encrypted disks
   with customer-managed keys
 * What is Azure Key Vault?
 * Replicate machines with customer-managed keys enabled disks
 * Set up disaster recovery of VMware VMs to Azure with PowerShell
 * Set up disaster recovery to Azure for Hyper-V VMs using PowerShell and Azure
   Resource Manager






FEEDBACK

Submit and view feedback for

This product This page
View all page feedback

Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Version Docs
 * Blog
 * Contribute
 * Privacy & Cookies
 * Terms of Use
 * Trademarks
 * © Microsoft 2022


IN THIS ARTICLE






Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Version Docs
 * Blog
 * Contribute
 * Privacy & Cookies
 * Terms of Use
 * Trademarks
 * © Microsoft 2022