Azure Disk Encryption

Owned by Roger Cruz, created
Last updated: Dec 20, 2021
1 min read

 

Intro

 

Documentation

 

Tips and Tidbits

  • Azure Disk encryption can be applied to both Linux and Windows virtual machines, as well as to virtual machine scale sets.

  •  It uses the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs).

    • The OS disk must be encrypted before the data disk for Windows VMs only.

  • For Linux, it uses the DM-Crypt feature to provide volume encryption for the OS and data disks of Azure virtual machines (VMs),

  • It is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.

    • You cannot use your own on-prem key management.

  • Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs.

    • Azure Disk Encryption is also available for VMs with premium storage.

    • Azure Disk Encryption is not available on Basic, A-series VMs, or on virtual machines with a less than 2 GB of memory

  • Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets.

    • Your key vault and VMs must reside in the same Azure region and subscription.

  • To write the encryption keys to your key vault, the Windows VM must be able to connect to the key vault endpoint.