Server-side encryption of Azure managed disks - Azure Virtual Machines (2024)

  • Article

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments. Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, aren't encrypted through Azure Storage. For disks with encryption at host enabled, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage.

Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation

Azure Storage encryption doesn't impact the performance of managed disks and there's no extra cost. For more information about Azure Storage encryption, see Azure Storage encryption.


Temporary disks are not managed disks and are not encrypted by SSE, unless you enable encryption at host.

About encryption key management

You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

The following sections describe each of the options for key management in greater detail.

Platform-managed keys

By default, managed disks use platform-managed encryption keys. All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys. Platform-managed keys are managed by Microsoft.

Customer-managed keys

You can choose to manage encryption at the level of each managed disk, with your own keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.

You must use one of the following Azure key stores to store your customer-managed keys:

  • Azure Key Vault
  • Azure Key Vault Managed Hardware Security Module (HSM)

You can either import your RSA keys to your Key Vault or generate new RSA keys in Azure Key Vault. Azure managed disks handles the encryption and decryption in a fully transparent fashion using envelope encryption. It encrypts data using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys. The Storage service generates data encryption keys and encrypts them with customer-managed keys using RSA encryption. The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new customer-managed keys.

Managed disks and the Key Vault or managed HSM must be in the same Azure region, but they can be in different subscriptions. They must also be in the same Microsoft Entra tenant, unless you're using Encrypt managed disks with cross-tenant customer-managed keys (preview).

Full control of your keys

You must grant access to managed disks in your Key Vault or managed HSM to use your keys for encrypting and decrypting the DEK. This allows you full control of your data and keys. You can disable your keys or revoke access to managed disks at any time. You can also audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys.


When a key is either disabled, deleted, or expired, any VMs with either OS or data disks using that key will automatically shut down. After the automated shut down, VMs won't boot until the key is enabled again, or you assign a new key.

Generally, disk I/O (read or write operations) start to fail one hour after a key is either disabled, deleted, or expired.

The following diagram shows how managed disks use Microsoft Entra ID and Azure Key Vault to make requests using the customer-managed key:

The following list explains the diagram in more detail:

  1. An Azure Key Vault administrator creates key vault resources.
  2. The key vault admin either imports their RSA keys to Key Vault or generate new RSA keys in Key Vault.
  3. That administrator creates an instance of Disk Encryption Set resource, specifying an Azure Key Vault ID and a key URL. Disk Encryption Set is a new resource introduced for simplifying the key management for managed disks.
  4. When a disk encryption set is created, a system-assigned managed identity is created in Microsoft Entra ID and associated with the disk encryption set.
  5. The Azure key vault administrator then grants the managed identity permission to perform operations in the key vault.
  6. A VM user creates disks by associating them with the disk encryption set. The VM user can also enable server-side encryption with customer-managed keys for existing resources by associating them with the disk encryption set.
  7. Managed disks use the managed identity to send requests to the Azure Key Vault.
  8. For reading or writing data, managed disks sends requests to Azure Key Vault to encrypt (wrap) and decrypt (unwrap) the data encryption key in order to perform encryption and decryption of the data.

To revoke access to customer-managed keys, see Azure Key Vault PowerShell and Azure Key Vault CLI. Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.

Automatic key rotation of customer-managed keys

If you're using customer-managed keys, you should enable automatic key rotation to the latest key version. Automatic key rotation helps ensure your keys are secure. A disk references a key via its disk encryption set. When you enable automatic rotation for a disk encryption set, the system will automatically update all managed disks, snapshots, and images referencing the disk encryption set to use the new version of the key within one hour. To learn how to enable customer-managed keys with automatic key rotation, see Set up an Azure Key Vault and DiskEncryptionSet with automatic key rotation.


Virtual Machines aren't rebooted during automatic key rotation.

If you can't enable automatic key rotation, you can use other methods to alert you before keys expire. This way, you can make sure to rotate your keys before expiration and keep business continuity. You can use either an Azure Policy or Azure Event Grid to send a notification when a key expires soon.


For now, customer-managed keys have the following restrictions:

  • If this feature is enabled for a disk with incremental snapshots, it can't be disabled on that disk or its snapshots.To work around this, copy all the data to an entirely different managed disk that isn't using customer-managed keys. You can do that with either the Azure CLI or the Azure PowerShell module.
  • Only software and HSM RSA keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
    • HSM keys require the premium tier of Azure Key vaults.
  • For Ultra Disks and Premium SSD v2 disks only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
  • Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
    • Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from different Microsoft Entra tenants.
  • Disks encrypted with customer-managed keys can only move to another resource group if the VM they are attached to is deallocated.
  • Disks, snapshots, and images encrypted with customer-managed keys can't be moved between subscriptions.
  • Managed disks currently or previously encrypted using Azure Disk Encryption can't be encrypted using customer-managed keys.
  • Can only create up to 5000 disk encryption sets per region per subscription.
  • For information about using customer-managed keys with shared image galleries, see Preview: Use customer-managed keys for encrypting images.

Supported regions

Customer-managed keys are available in all regions that managed disks are available.


Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Microsoft Entra directories.

To enable customer-managed keys for managed disks, see our articles covering how to enable it with either the Azure PowerShell module, the Azure CLI or the Azure portal.

See Create a managed disk from a snapshot with CLI for a code sample.

Encryption at host - End-to-end encryption for your VM data

When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it's persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host doesn't use your VM's CPU and doesn't impact your VM's performance.

Temporary disks and ephemeral OS disks are encrypted at rest with platform-managed keys when you enable end-to-end encryption. The OS and data disk caches are encrypted at rest with either customer-managed or platform-managed keys, depending on the selected disk encryption type. For example, if a disk is encrypted with customer-managed keys, then the cache for the disk is encrypted with customer-managed keys, and if a disk is encrypted with platform-managed keys then the cache for the disk is encrypted with platform-managed keys.


  • Supported for 4k sector size Ultra Disks and Premium SSD v2.
  • Only supported on 512e sector size Ultra Disks and Premium SSD v2 if they were created after 5/13/2023.
    • For disks created before this date, snapshot your disk and create a new disk using the snapshot.
  • Can't be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machines (VMs) or virtual machine scale sets.
  • Azure Disk Encryption can't be enabled on disks that have encryption at host enabled.
  • The encryption can be enabled on existing virtual machine scale sets. However, only new VMs created after enabling the encryption are automatically encrypted.
  • Existing VMs must be deallocated and reallocated in order to be encrypted.

Regional availability

Except for Ultra Disks and Premium SSD v2 managed disks, encryption at host is available in all regions.

For Ultra Disks and Premium SSD v2 managed disks, encryption at host is currently available in every region except for the following:

  • Canada East
  • West Europe
  • Japan West
  • South Central US
  • West US 3

Supported VM sizes

The complete list of supported VM sizes can be pulled programmatically. To learn how to retrieve them programmatically, refer to the finding supported VM sizes section of either the Azure PowerShell module or Azure CLI articles.

To enable end-to-end encryption using encryption at host, see our articles covering how to enable it with either the Azure PowerShell module, the Azure CLI, or the Azure portal.

Double encryption at rest

High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can now opt for extra layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. This new layer can be applied to persisted OS and data disks, snapshots, and images, all of which will be encrypted at rest with double encryption.


Double encryption at rest isn't currently supported with either Ultra Disks or Premium SSD v2 disks.

Supported regions

Double encryption is available in all regions that managed disks are available.

To enable double encryption at rest for managed disks, see our articles covering how to enable it with either the Azure PowerShell module, the Azure CLI or the Azure portal.

Server-side encryption versus Azure disk encryption

Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.


Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Microsoft Entra directories.

Next steps

  • Enable end-to-end encryption using encryption at host with either the Azure PowerShell module, the Azure CLI, or the Azure portal.
  • Enable double encryption at rest for managed disks with either the Azure PowerShell module, the Azure CLI or the Azure portal.
  • Enable customer-managed keys for managed disks with either the Azure PowerShell module, the Azure CLI or the Azure portal.
  • Explore the Azure Resource Manager templates for creating encrypted disks with customer-managed keys
  • What is Azure Key Vault?
Server-side encryption of Azure managed disks - Azure Virtual Machines (2024)


What type of encryption does Azure Disk Encryption provide for Azure Virtual Machines? ›

Overview. Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines running Windows. This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets in your key vault subscription.

What is Azure server-side encryption? ›

Server-side Encryption models refer to encryption that is performed by the Azure service. In that model, the Resource Provider performs the encrypt and decrypt operations. For example, Azure Storage may receive data in plain text operations and will perform the encryption and decryption internally.

What are the encryption options for managed disks? ›

There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host.

Are Azure managed disks encrypted by default? ›

Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, aren't encrypted through Azure Storage.

What encryption method does Azure use? ›

Azure Storage Service Encryption

Storage Service Encryption uses 256-bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES handles encryption, decryption, and key management transparently.

What is the difference between server side encryption and client side encryption? ›

With client-side encryption you manage the key and without it nobody can access the contents of the files. If you mess up the policies, the keys protect your data. Server-Side encryption is the easiest. It ensures "encryption at rest", but S3 manages it all for you.

Which types of server side encryption are available for S3? ›

There are three types of S3 server side encryption methods (See figure 01).
  • Server side encryption with Customer Provided Keys (SSE-C)
  • Server side encryption with AWS S3 Managed Keys (SSE-S3)
  • Server side encryption with AWS KMS (SSE-KMS) — This further can be divided into two more methods. (
Feb 27, 2023

What type of encryption does Azure files use? ›

All data stored in Azure Files is encrypted at rest using Azure storage service encryption (SSE). Storage service encryption works similarly to BitLocker on Windows: data is encrypted beneath the file system level.

What type of encryption does Azure information protection use? ›

However, some relevant information that can help your legal adviser make a determination: Azure Information Protection uses AES 256 and AES 128 to encrypt documents.

What is an Azure managed disk? ›

Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed disks are like a physical disk in an on-premises server but, virtualized. With managed disks, all you have to do is specify the disk size, the disk type, and provision the disk.

What are the different types of disk encryption? ›

There are two main computer encryption types: full disk encryption and file-level encryption. Full Disk Encryption (FDE) or whole disk encryption protects the entire volume and all files on the drive against unauthorized access.

What are the different encryption options for VM? ›

Vaibhav Rane
  • Server-Side Encryption (SSE): Encrypts your disks at the storage account level, at rest. Default, always enabled, can't turn off.
  • Azure Disk Encryption (ADE): Encrypts your disks at the VM OS level. ...
  • Encryption at Host (EAH): Encrypt your temporary disk and cache at the host.
Mar 17, 2024

What is the difference between server side encryption and Azure Disk Encryption? ›

If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption. If your requirements include encrypting only data at rest with customer-managed key, then use Server-side encryption with customer-managed keys.

How to encrypt an Azure VM disk? ›

Encrypt the virtual machine

Under Encryption settings > Disks to encrypt, select OS and data disks. Under Encryption settings, choose Select a key vault and key for encryption. On the Select key from Azure Key Vault screen, select Create New.

Which are the main encryption-based disk protection technologies for Azure VMs? ›

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. For domain joined VMs, don't push any group policies that enforce TPM protectors. For information about the group policy for "Allow BitLocker without a compatible TPM," see BitLocker Group Policy Reference.

What are the different types of Disk Encryption? ›

There are two main computer encryption types: full disk encryption and file-level encryption. Full Disk Encryption (FDE) or whole disk encryption protects the entire volume and all files on the drive against unauthorized access.

Which type of encryption is used for the Azure Linux VM disks select only one answer BitLocker? ›

It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. Azure Disk Encryption is zone resilient, the same way as Virtual Machines.

Top Articles
How to connect MetaMask to Fantom Opera (FTM) by Lucidao
Sally Ride: First American Woman in Space
Sprinter Tyrone's Unblocked Games
My E Chart Elliot
Immobiliare di Felice| Appartamento | Appartamento in vendita Porto San
Erskine Plus Portal
How to Type German letters ä, ö, ü and the ß on your Keyboard
Soap2Day Autoplay
DIN 41612 - FCI - PDF Catalogs | Technical Documentation Login
What to do if your rotary tiller won't start – Oleomac
Discover Westchester's Top Towns — And What Makes Them So Unique
Busty Bruce Lee
Jvid Rina Sauce
Erskine Plus Portal
Nwi Arrests Lake County
Jesus Calling Oct 27
Justified Official Series Trailer
Sport-News heute – Schweiz & International | aktuell im Ticker
Spider-Man: Across The Spider-Verse Showtimes Near Marcus Bay Park Cinema
Yard Goats Score
Hdmovie 2
Georgetown 10 Day Weather
Raz-Plus Literacy Essentials for PreK-6
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Euro Style Scrub Caps
Elbert County Swap Shop
Move Relearner Infinite Fusion
Vivification Harry Potter
Guinness World Record For Longest Imessage
Www Mydocbill Rada
Puffin Asmr Leak
Dairy Queen Lobby Hours
Jambus - Definition, Beispiele, Merkmale, Wirkung
Solve 100000div3= | Microsoft Math Solver
One Credit Songs On Touchtunes 2022
2012 Street Glide Blue Book Value
John F Slater Funeral Home Brentwood
Solemn Behavior Antonym
10 games with New Game Plus modes so good you simply have to play them twice
Dollar Tree's 1,000 store closure tells the perils of poor acquisitions
Entry of the Globbots - 20th Century Electro​-​Synthesis, Avant Garde & Experimental Music 02;31,​07 - Volume II, by Various
Noaa Duluth Mn
Kent And Pelczar Obituaries
Silicone Spray Advance Auto
Hampton In And Suites Near Me
Sky Dental Cartersville
Bismarck Mandan Mugshots
Grandma's Portuguese Sweet Bread Recipe Made from Scratch
Fishing Hook Memorial Tattoo
Latest Posts
Article information

Author: Allyn Kozey

Last Updated:

Views: 6529

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Allyn Kozey

Birthday: 1993-12-21

Address: Suite 454 40343 Larson Union, Port Melia, TX 16164

Phone: +2456904400762

Job: Investor Administrator

Hobby: Sketching, Puzzles, Pet, Mountaineering, Skydiving, Dowsing, Sports

Introduction: My name is Allyn Kozey, I am a outstanding, colorful, adventurous, encouraging, zealous, tender, helpful person who loves writing and wants to share my knowledge and understanding with you.