Can a managed disk with server-side encryption using platform managed keys be exported and imported to a VM on a different tenant. Or, are PMKs tenant specific?

Question

Hi,

Just looking at pros and cons of server-side encryption using platform managed keys. Specifically, I'm trying to confirm whether disks that are encrypted with SSE using PMKs can be decrypted in ANY Azure tenant, e.g.. if SSE encrypted disk is exported to a VHD can it then be imported in someone's free trial Azure tenant? Or, are PMKs tenant specific?

I can't find this explicitly stated anywhere online.

Thanks
G.

Answer 1

@Gavin Chisholm Thank you for reaching out to Microsoft Q&A.

I understand that you have questions regarding Managed disk with SSE using PMKs and if you can use it Cross Tenant. You can export the file and use it for a VM in a different tenant as when you export it, the file is decrypted.

However, since PMKs are managed entirely by Azure, you cannot use the same PMK for the VM in the other tenant for security purposes. CMKs can be used for cross-tenant purposes since they can be uploaded anywhere, whereas you can't interact with the PMKs.

Here are details for cross-tenant CMKs in case you want to learn more- https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-existing-account?tabs=azure-portal

Hope this helps. Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.