This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 92%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hello Everyone,
Would like to understand the scope of platform managed keys. I have enabled encryption at host with platform managed keys. Can i now take a snapshot of the disk and move it to a different tenant / subscription . Would i be able to attach these disks to a different host elsewhere and decrypt them. If so what is the security perimeter of platform managed keys and what is it actually protecting . Can i even snapshot the disks and use them maybe in a different azure account / organization .
Would the same apply to the VM itself as we have enabled encryption at host with PMK . Can we copy the image and reuse it else where outside the tenant and organization.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Venglatur, Viswanath I am looking into this and will get back to you soon. Thanks!
@Venglatur, Viswanath Thanks for reaching out to Microsoft Q&A. I understand that you have questions related to encryption at host and PMK.
Yes, you can attach it to a different VM. Encryption at host happens at the VM host level. So, when the disk is attached to a new VM, then encryption will be done at that host.
Regarding PMKs, it acts as the KEK(Key Encryption Key) for the DEK(Data Encryption Key), which is the account encryption key in the storage case. This document has information on how encryption at rest works - https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
Please let me know if you have any more questions and I will be glad to assist further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Hi Sai,
It still does not answer my question regarding the boundaries of PMK . Example in AWS if an AWS managed key is used to encrypt disk usually we are not able to copy that disk over to a different account and use it on a different host in that new account, so the boundary is an account within AWS. Similarly within Azure what is the boundary for PMK. It should not be a case anyone in any organization under any tenant should be able to just copy the disk and use , in which case what is the purpose of encryption ?
I hope i was able to clarify the question better. let me know.
Best
Viswanath Sekar
@Venglatur, Viswanath I apologize for the delay in responding to your question.
The scope for a Microsoft Managed key by default is tied to the Account. However, you can configure the scope to the Container or Blob as well. Hope this answers your question.
Please do let us know if you have any further questions and I will be glad to assist further. Thank you!