Use the Azure portal to enable double encryption at rest for managed disks
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️
Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, and other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.
Double encryption at rest isn't currently supported with either Ultra Disks or Premium SSD v2 disks.
Sign in to the Azure portal.
Search for and select Disk Encryption Sets.
Select + Create.
Select one of the supported regions.
For Encryption type, select Double encryption with platform-managed and customer-managed keys.
Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.
Fill in the remaining info.
Select an Azure Key Vault and key, or create a new one if necessary.
If you create a Key Vault instance, you must enable soft delete and purge protection. These settings are mandatory when using a Key Vault for encrypting managed disks, and protect you from losing data due to accidental deletion.
Navigate to the disk encryption set you created, and select the error that is displayed. This will configure your disk encryption set to work.
A notification should pop up and succeed. Doing this will allow you to use the disk encryption set with your key vault.
Navigate to your disk.
For Key management, select one of the keys under Platform-managed and customer-managed keys.
You have now enabled double encryption at rest on your managed disk.