Share via

Evidence for Lasv3 Virtual Machine NVMe disk encryption

Andrew 25 Reputation points
2025-03-27T22:17:02.89+00:00

I am reading the documentation for LSv3 and Lasv3 Virtual Machine types and it says

"NVMe Disk encryption Lasv3 VMs created or allocated on or after 1/1/2023 have their local NVMe drives encrypted by default using hardware-based encryption with a Platform-managed key, except for the regions listed below."

My VM was created in 2025 so the NVMe disk should be covered by the hardware-based encryption, but I can't find any place in the Azure portal that confirms encryption of the NVMe disk.

If I need to provide evidence that my disk is encrypted to an external auditor who is nontechnical, what evidence can I provide?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,729 questions
Accepted answer
  1. Mounika Reddy Anumandla 4,305 Reputation points Microsoft External Staff
    2025-04-03T09:09:03.52+00:00

    Hi @Andrew ,

    AFAIK, NVMe disks in Lasv3 VMs are ephemeral and use hardware encryption with a Platform-Managed Key (PMK). Azure does not expose PMK encryption status in the UI or through PowerShell/CLI. Unlike managed OS and data disks (which show encryption status under "Disk Encryption"), NVMe local disks do not appear in the portal.

    Temp NVMe disks support the feature of data encryption at rest. A unique data encryption key (DEK) encrypts the data for each temp NVMe disk assigned to the VM. A key encryption key (KEK) helps protect the DEK. When you delete a VM, the data on its temp NVMe disk is cryptographically erased. All the v6 VMs that are introduced from 2024 and onward, have their local NVMe drives encrypted by default using hardware based encryption with a Platform Managed Key.

    How can I identify my temp NVMe disk?
    Run: Get-PhysicalDisk | where { $_.FriendlyName.contains("NVMe Direct Disk")}
    User's image

    Platform-managed keys (PMKs) are encryption keys generated, stored, and managed entirely by Azure. Customers do not interact with PMKs. The keys used for Azure Data Encryption-at-Rest, for instance, are PMKs by default.

    I will try to communicate your concern with the product team!

    Hope this helps!

    Let me know if you have any further queries!
    If the information is helpful, please click "Accept Answer" and "Upvote it."

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 120.5K Reputation points MVP
    2025-03-28T01:09:38.2866667+00:00

    Hi @Andrew ,

    please try this PowerShell cmd, which is part of the Az PowerShell module, to check the encryption status of the disk:

    Get-AzVmDiskEncryptionStatus -ResourceGroupName "<name of resource group" -VMName "<name of vm>"

    For additional details please take a look here: Get-AzVMDiskEncryptionStatus

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.