Managed and unmanaged disk encryption

HASSAN BIN NASIR DAR 306 Reputation points


I have some questions.

I created Key vault and then I did encrypt OS+Data Disk. Now my question is if I will not encrypt it myself then by default it will be encrypted too. see image 4.

What is the difference between default encryption and encryption myself?

2- Second question is.

When I did encryption myself but it is still showing default encryption. see image 3

3- Third question is.

How can I create unmanged disk under disk resource. I can create only managed disk with encryption. I want to create unmanged disk without encryption. see image 4


Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
166 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
600 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. shiva patpi 13,171 Reputation points Microsoft Employee

    Thanks for your query. You might have forgot to upload all the images.
    Basically when you use OS + Data disks + Key Vault- it implicitly means that you are using Azure Disk Encryption (guest-VM encryption using bitlocker/VM-Decrypt) , so you are not actually encrypting the Managed disk , that's the reason it still shows as "Default Encryption"

    Additional document:-

    You might want to go through the article for your queries w.r.t Azure Storage Encryption :

    Encryption methods for Azure VM
    Azure VM managed disks can be encrypted using two methods –

    1. Server Side Encryption
    2. Azure Disk Encryption

    Server Side Encryption of Azure VM Managed Disks
    Server side encryption (SSE) is default offering. All of your Azure VMs managed disks are always encrypted by default when they are stored on underlying storage. This is encryption at rest by the Azure itself. You don’t need any additional efforts to perform Server Side Encryption of Azure VM Managed disk. More importantly you can't disable it as well. Server side encryption is not optional, and always provided behind the scene.

    Azure Disk Encryption of Azure VM Managed Disks
    Azure Disk Encryption (ADE) is optional. This method provides an extra layer of security over SSE. This encryption is performed at OS level of VM and hence there are many conditions where ADE is supported/ not supported. Where as SSE is always performed at backend storage level and has nothing to do with OS of VM being encrypted.

    So there are no non-supported scenarios for Server Side Encryption of Azure VM Managed Disks.

    Windows VM ADE is configured using BitLocker.
    Linux VM ADE is configured using DMCrypt.

    Difference between Server Side Encryption and Azure Disk Encryption:

    Basically Azure Disk Encryption (ADE) is performed at VM OS level whereas Server Side Encryption (SSE ) is performed at the storage level. All Managed disks of Azure VM are backed by Azure page blobs and this is where SSE is performed. As ADE is performed at OS level, tools such as BitLocker and DMCrypt were used.


    When you encrypt your self i.e. you will get your own keys stored in the Key Vault and managed by customer (i.e. you will have an option to rotate the keys, update the keys etc.) . Check out the full work flow w.r.t CMK and how it works at

    To create unmanaged disk , please use Disks (Classic) from Azure Portal and follow the steps . Unmanaged disks are VHD files that are stored as page blobs in Azure storage accounts


    0 comments No comments