Hello @Chapter7-2723 ,
Thanks for your query. You might have forgot to upload all the images.
Basically when you use OS + Data disks + Key Vault- it implicitly means that you are using Azure Disk Encryption (guest-VM encryption using bitlocker/VM-Decrypt) , so you are not actually encrypting the Managed disk , that's the reason it still shows as "Default Encryption"
Additional document:- https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
You might want to go through the article for your queries w.r.t Azure Storage Encryption : https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption
Encryption methods for Azure VM
Azure VM managed disks can be encrypted using two methods –
- Server Side Encryption
- Azure Disk Encryption
Server Side Encryption of Azure VM Managed Disks
Server side encryption (SSE) is default offering. All of your Azure VMs managed disks are always encrypted by default when they are stored on underlying storage. This is encryption at rest by the Azure itself. You don’t need any additional efforts to perform Server Side Encryption of Azure VM Managed disk. More importantly you can't disable it as well. Server side encryption is not optional, and always provided behind the scene.
Azure Disk Encryption of Azure VM Managed Disks
Azure Disk Encryption (ADE) is optional. This method provides an extra layer of security over SSE. This encryption is performed at OS level of VM and hence there are many conditions where ADE is supported/ not supported. Where as SSE is always performed at backend storage level and has nothing to do with OS of VM being encrypted.
So there are no non-supported scenarios for Server Side Encryption of Azure VM Managed Disks.
Windows VM ADE is configured using BitLocker.
Linux VM ADE is configured using DMCrypt.
Difference between Server Side Encryption and Azure Disk Encryption:
Basically Azure Disk Encryption (ADE) is performed at VM OS level whereas Server Side Encryption (SSE ) is performed at the storage level. All Managed disks of Azure VM are backed by Azure page blobs and this is where SSE is performed. As ADE is performed at OS level, tools such as BitLocker and DMCrypt were used.
When you encrypt your self i.e. you will get your own keys stored in the Key Vault and managed by customer (i.e. you will have an option to rotate the keys, update the keys etc.) . Check out the full work flow w.r.t CMK and how it works at https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#customer-managed-keys
To create unmanaged disk , please use Disks (Classic) from Azure Portal and follow the steps . Unmanaged disks are VHD files that are stored as page blobs in Azure storage accounts