This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Hello Team,
I would like to understand the impact of enabling Azure Disk Encryption at the application level. This is being enabled in existing VM's where applications are running, so would like to check whether application code changes are required for accessing the data in Data disk/OS disk using the keys in Keyvault.
Additionally, is it best practice to set expiration date for the automatic keys (wrapped BEK) in the Keyvault and what would be the impact if it is expired?
Thanks,
Dinesh
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@Dinesh Kumar Palani Thanks for posting your query on Microsoft Q&A.
Application code changes are not required while accessing data in an Azure Disk Encryption enabled disk.
Here's a detailed comparison of various encryption options available for VMs - https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview#comparison
Should Key Vault keys have an expiration date?
Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.
You can learn more about auto-rotation of encryption keys here - https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal#azure-disk-encryption-and-auto-rotation
Additional Reading:
I hope this helps.
If you have any questions at all, please let me know in the "comments" and I would be happy to help you. Comment is the fastest way of notifying the experts.
Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you. This can be beneficial to other community members for remediation for similar issues.
KarishmaTiwari-MSFT Hi - Thanks for the sharing the information. It helps me a lot. The links that you shared actually re-directing to my Q&A page and not to the actual documentaion. However I was able to navigate the documentation and I have one follow-up question. I do not see much information about Key rotation part https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal#azure-disk-encryption-and-auto-rotation as it just says it is not supported.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
@Dinesh Kumar Palani Thanks for sharing the update. Let me check and get back to you.