Error: Encryption at host is not allowed for a VM having disks that were encrypted with Azure Disk Encryption

Question

Hi,

I had enabled the Azure Disk Encryption on my Azure VM but now we want to enable "EncryptionAtHost" on that VM.

Although I have disabled the Azure Disk Encryption from the VM by following steps mentioned here (https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux?tabs=azcliazure%2Cenableadecli%2Cefacli%2Cadedatacli) to disable and removal of extension.

But now when I am trying to enable EncryptionAtHost, I am still getting below error:

Failed to update 'vm'. Error: Encryption at host is not allowed for a VM having disks that were encrypted with Azure Disk Encryption. For more information, see https://aka.ms/hberestrictions

I want to know whether it is possible to enable to "EncrytionAtHost" after we disable "Azure Disk Encryption" or not?

Answer 1

@Jaya Ojha

Even though you have disabled Azure Disk Encryption, Encryption at Host can't be enabled on virtual machines (VMs) or virtual machine scale sets that currently or ever had Azure Disk Encryption enabled.
You will need to recreate the VM in order to enable Encryption at Host. Apologies for the inconvenience with this limitation.
Let me know if you have further questions and I will do my best to assist.

---

If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!