![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 7.000000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,275 questions
@Lynette Patterson
Thank you for your questions!
- Storage Service Encryption with Platform Managed Keys (SSE with PMK), is the default encryption of all managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys.
- Storage Service Encryption with Customer Managed Keys (SSE with CMK), is used to manage encryption at the level of each managed disk, with your own keys.
- Azure Disk Encryption (ADE), uses the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
The easiest way to figure out encryption status of a disk (OS and data) is by going to the VM itself.
Select your VM -> Disks
However, as you stated, your client has multiple VMs, therefore you can search for "Virtual Machines" in the search bar -> Filter columns by "Disk Encryption"
**This will show you if a VM is encrypted, which indicates that the OS attached to that VM is encrypted with ADE
Keep in mind that all your data disks will be encrypted with SSE with PMK by default. However, when it comes to managed disk encryption (both OS and data), if you enabled SSE with CMK, you can simply navigate to your disk encryption set -> Select resources
**This will show all your disks that are encrypted with CMK, both OS and data disk.
When it comes to finding out what Key Vault was used, you'll have to:
Azure Disk Encryption: Figure out what Key Vault was specified within the encryption script. Or open up each BEK and open the Tags associated with that BEK.
SSE with PMK: You can figure out what Key Vault was used by going to your Disk Encryption set and selecting "Key"
I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.