Share via

Azure Local CSV

Handian Sudianto 7,116 Reputation points
2026-04-22T02:49:53.75+00:00

When we build azure local there are process to encrypt yhe CSV volumes. Are this mean if somebody copy the VHD to the outside example to personal device, then the VHD can be opened or still protected?

User's image

Azure Local
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jilakara Hemalatha 13,340 Reputation points Microsoft External Staff Moderator
    2026-04-22T05:42:06.01+00:00

    Hi Handian,

    Thank you for your question. This is a good point to clarify regarding Azure Local security.

    Azure Local uses BitLocker Drive Encryption to encrypt data volumes, including Cluster Shared Volumes (CSV), which ensures that data is protected at rest. However, this encryption applies to the underlying host storage and does not automatically encrypt the contents inside individual VHD or VHDX files. This means that if a VHD or VHDX file is copied outside the cluster, for example to a personal device, it can be mounted and accessed if the data inside the virtual disk is not separately encrypted (for example, using BitLocker within the virtual machine).

    From a security standpoint, protection depends on maintaining the encrypted state of the volume as well as ensuring that the data inside the virtual disks is appropriately protected. Microsoft recommends storing recovery keys in a secure external location such as Azure Key Vault. If guest-level encryption is enabled and the keys are securely managed, the copied VHD will remain protected even outside the cluster. However, if the data inside the VHD is not encrypted or the recovery key is compromised, then the data could potentially be accessed.

    Reference: Manage BitLocker encryption on Azure Local

    Use BitLocker with Cluster Shared Volumes (CSV)

    Security features for Azure Local

    https://learn.microsoft.com/en-us/azure/key-vault/general/overview

    Hope this helps! If it helpful! Could you please accept the answer and upvote it. Please let me know if you have any queries in comments.

    Was this answer helpful?

  2. Q&A Assist
    2026-04-22T02:50:13.0666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Encrypting Cluster Shared Volumes (CSVs) with BitLocker on Azure Local protects the underlying disks, including the VHD/VHDX files stored on them.

    If someone copies a VHD/VHDX file off an encrypted CSV to a personal device, the protection depends on how it is copied:

    1. If the VHD is copied while the CSV is online and unlocked (normal cluster operation), the copied VHD file itself is no longer on a BitLocker‑protected volume. It can be attached and opened on another system like any normal VHD, subject only to whatever protection exists inside the guest OS (for example, if the VM uses its own BitLocker/TDE, that inner encryption still applies).
    2. BitLocker protection applies to the CSV volume, not to individual VHD files as portable encrypted containers. Once data is read from the encrypted volume and written elsewhere, the new copy is not protected by that CSV’s BitLocker.

    To keep VM data protected when VHDs are copied off the cluster, an additional encryption layer is required inside the VM (for example, BitLocker in the guest OS or database‑level encryption), or the destination storage must also be encrypted.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.