Manage Disk Encryption

Question

On Managed disk there are Encyption like below picture the encryption set to SSE with PMK.

I want to know how the encrption is work? This mean all data inside the disk will be encrypted and we can't move the data out from server?

Answer 1

SSE with PMK means the managed disk is using Server-Side Encryption with platform‑managed keys.

How the encryption works:

• Azure always encrypts data on managed disks at rest using Server-Side Encryption (SSE).
• Data written to the disk is encrypted transparently by Azure Storage using 256‑bit AES encryption that is FIPS 140‑2 compliant.
• With platform‑managed keys (PMK), Azure generates, stores, and rotates the encryption keys for you. No extra configuration or cost is required.
• This encryption happens only when data is persisted to the storage clusters; reads and writes from the VM are automatically decrypted/encrypted by the platform and do not change application behavior or disk performance.

Impact on moving or accessing data:

• Encryption does not prevent copying or moving data out of the VM or disk. Applications and users that have access to the VM can still read the data (it is transparently decrypted) and move it elsewhere (for example, to another disk, storage account, or outside Azure).
• The purpose of SSE with PMK is to protect data at rest in Azure’s storage infrastructure, not to restrict data export.

If customer‑managed keys (CMK) are used instead of PMK, access to the disk data can be indirectly controlled by enabling/disabling keys or revoking access, but this is not the case for SSE with PMK.

---

References:

• Overview of managed disk encryption options
• Server-side encryption of Azure Disk Storage
• Secure and use policies on virtual machines in Azure
• Azure Virtual Machines security overview
• Encrypt disks with customer-managed keys in Azure DevTest Labs
• Azure HDInsight double encryption for data at rest
• Azure PowerShell - Enable customer-managed keys with server-side encryption - managed disks