This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all,
on
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal#azure-disk-encryption-and-auto-rotation
it is said that:
Although Azure Key Vault now has key auto-rotation, it isn't currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated.
If we create a Key Encryption Key (KEK) for an additional layer of security for Azure Disk Encryption (ADE) and enable auto-rotation for this KEK, will the new version of this KEK after auto rotation automatically be used for wrapping the current ADE Bitlocker Encryptions keys (BEK)?
kind regards
Nick
@Nick Buschner Just checking in to see if the below answer helped. If this answers your query, do click "Accept the answer”, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Hello @Anonymous
You can rotate the KEK by calling the command above
az vm encryption enable -n vmname -g rsgrp --key-encryption-key kek --disk-encryption-keyvault keyvault-name --volume-type ALL --encrypt-format-all
every time when you need a newer version of the KEK.
Doing so, secret of type Wrapped BEKs in addition to existing one is added for VM.
https://learn.microsoft.com/en-us/answers/questions/763816/rotating-ade-kek-adds-two-new-secrets-wrapped-beks.html
https://github.com/MicrosoftDocs/azure-docs/issues/40707