scope of Encryption at host with platform managed keys . Copy disk across tenants

Venglatur, Viswanath 1 Reputation point

Hello Everyone,
Would like to understand the scope of platform managed keys. I have enabled encryption at host with platform managed keys. Can i now take a snapshot of the disk and move it to a different tenant / subscription . Would i be able to attach these disks to a different host elsewhere and decrypt them. If so what is the security perimeter of platform managed keys and what is it actually protecting . Can i even snapshot the disks and use them maybe in a different azure account / organization .

Would the same apply to the VM itself as we have enabled encryption at host with PMK . Can we copy the image and reuse it else where outside the tenant and organization.


Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
159 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
570 questions
{count} votes

2 answers

Sort by: Most helpful
  1. SaiKishor-MSFT 17,176 Reputation points

    @Venglatur, Viswanath Thanks for reaching out to Microsoft Q&A. I understand that you have questions related to encryption at host and PMK.

    Yes, you can attach it to a different VM. Encryption at host happens at the VM host level. So, when the disk is attached to a new VM, then encryption will be done at that host.

    Regarding PMKs, it acts as the KEK(Key Encryption Key) for the DEK(Data Encryption Key), which is the account encryption key in the storage case. This document has information on how encryption at rest works -

    Please let me know if you have any more questions and I will be glad to assist further. Thank you!


    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

  2. Venglatur, Viswanath 1 Reputation point

    Hi Sai,
    It still does not answer my question regarding the boundaries of PMK . Example in AWS if an AWS managed key is used to encrypt disk usually we are not able to copy that disk over to a different account and use it on a different host in that new account, so the boundary is an account within AWS. Similarly within Azure what is the boundary for PMK. It should not be a case anyone in any organization under any tenant should be able to just copy the disk and use , in which case what is the purpose of encryption ?

    I hope i was able to clarify the question better. let me know.

    Viswanath Sekar