Share via

Manage Disk Encryption

Handian Sudianto 7,281 Reputation points
2026-06-22T02:22:09.51+00:00

On Managed disk there are Encyption like below picture the encryption set to SSE with PMK.

I want to know how the encrption is work? This mean all data inside the disk will be encrypted and we can't move the data out from server?

User's image

Azure Disk Encryption
Azure Disk Encryption

An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Himanshu Shekhar 6,790 Reputation points Microsoft External Staff Moderator
    2026-06-22T04:46:25.2566667+00:00

    What "SSE with PMK" means

    SSE = Server-Side Encryption and PMK = Platform-Managed Key.

    This is the default encryption that Azure applies to every managed disk automatically and no setup, no cost, and no performance impact. https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption

    Your disk data is encrypted at rest using 256-bit AES (FIPS 140-2 compliant) as it persisted to the Azure Storage clusters.

    The encryption key (PMK) is generated, stored, rotated, and is fully managed by Microsoft you don't see or handle it.

    This is always on and cannot be disabled for managed disks.

    How the encryption actually works

    1. Think of it like BitLocker at the storage layer.
    2. When the VM writes data, it travels to the underlying Azure Storage and is encrypted there at rest.
    3. When the VM reads data, Azure transparently decrypts it and hands it back the OS, applications, and authorized users see normal, readable data. - https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption
    4. So, the encryption protects the physical media and if a disk/drive were ever decommissioned, removed, or re-assigned to another host, the raw data on the platter is unreadable without the key.

    Your specific question is : "Does this mean I can't move data out of the server?" - No SSE with PMK does NOT block you from copying, moving, or exporting your data.

    This is the most common misconception. Here's the key point:

    1. SSE protects data at rest on the storage media, not in use. Once an authorized VM or user accesses the disk, the data is automatically decrypted and behaves like any normal file.
    2. You can still copy files off the server, transfer data over the network, back up, snapshot, or export normally. SSE is invisible to your applications and users. - https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption
    3. SSE is about compliance and protection against physical theft / media re-assignment, not about restricting data movement or access control. SSE with PMK = your data is automatically encrypted on Azure's disks behind the scenes, but it stays fully usable and movable for anyone with legitimate access to the VM.

    Was this answer helpful?

  2. AI answer

    2026-06-22T02:22:26.8866667+00:00

    SSE with PMK means the managed disk is using Server-Side Encryption with platform‑managed keys.

    How the encryption works:

    • Azure always encrypts data on managed disks at rest using Server-Side Encryption (SSE).
    • Data written to the disk is encrypted transparently by Azure Storage using 256‑bit AES encryption that is FIPS 140‑2 compliant.
    • With platform‑managed keys (PMK), Azure generates, stores, and rotates the encryption keys for you. No extra configuration or cost is required.
    • This encryption happens only when data is persisted to the storage clusters; reads and writes from the VM are automatically decrypted/encrypted by the platform and do not change application behavior or disk performance.

    Impact on moving or accessing data:

    • Encryption does not prevent copying or moving data out of the VM or disk. Applications and users that have access to the VM can still read the data (it is transparently decrypted) and move it elsewhere (for example, to another disk, storage account, or outside Azure).
    • The purpose of SSE with PMK is to protect data at rest in Azure’s storage infrastructure, not to restrict data export.

    If customer‑managed keys (CMK) are used instead of PMK, access to the disk data can be indirectly controlled by enabling/disabling keys or revoking access, but this is not the case for SSE with PMK.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.