Azure Disk Encryption
Â
Intro
Â
Documentation
Â
Tips and Tidbits
Azure Disk encryption can be applied to both Linux and Windows virtual machines, as well as to virtual machine scale sets.
 It uses the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs).
The OS disk must be encrypted before the data disk for Windows VMs only.
For Linux, it uses the DM-Crypt feature to provide volume encryption for the OS and data disks of Azure virtual machines (VMs),
It is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
You cannot use your own on-prem key management.
Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs.
Azure Disk Encryption is also available for VMs with premium storage.
Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets.
Your key vault and VMs must reside in the same Azure region and subscription.
To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint.