![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 95%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,593 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Note: Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.
- Our keys will be expiring soon. Will there be any impact, such as downtime for the resources when switching over to the new keys?
- If there is proper access to the key for DES (Disk Encryption Set) to encrypt and decrypt the disk there will not any problem with downtime. Make sure there is proper access to the key vault and that key is enabled and not expired.
- The same goes for the storage account.
- Say that a key is not updated/renewed intime and the key expires, what will be the impact of this to the resource(s) (Ex: VM and Storage)?
- For virtual machines: If the key is not updated or renewed intime and the key expires, the VM will not be bootable and all the VMs associated with the DES and the key will stop working:
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#full-control-of-your-keys
"When a key is either disabled, deleted, or expired, any VMs with either OS or data disks using that key will automatically shut down. After the automated shut down, VMs won't boot until the key is enabled again, or you assign a new key." - For storage accounts: After the key has been disabled, clients can't call operations that read from or write to a resource or its metadata. Attempts to call these operations will fail with error code 403 (Forbidden) for all users. To call these operations again, restore access to the managed key. All data operations that aren't listed in the following sections may proceed after customer-managed keys are revoked or after a key is disabled or deleted. Please review the list of calls that are revoked:
https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#revoke-access-to-a-storage-account-that-uses-customer-managed-key
- For virtual machines: If the key is not updated or renewed intime and the key expires, the VM will not be bootable and all the VMs associated with the DES and the key will stop working:
- Will the storage account automatically pick up the newly created key?
- Yes. To automatically update a managed key when a new version is available, omit the key version when you enable encryption with managed keys for the storage account. If the key version is omitted, then Azure Storage checks the key vault or managed HSM daily for a new version of a managed key. If a new key version is available, then Azure Storage automatically uses the latest version of the key.
- Azure Storage checks the key vault for a new key version only once daily. When you rotate a key, be sure to wait 24 hours before disabling the older version.
- If the storage account was previously configured for manual updating of the key version and you want to change it to update automatically, you might need to explicitly change the key version to an empty string. For details on how to do this, see Configure encryption for automatic updating of key versions and Automatically update the key version.
- If RSA size changed for new key, would this effect anything on the resource (Ex: VM/Storage) when the new key is added to resource?
- Only software and HSM RSA keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
- HSM keys require the premium tier of Azure Key Vault. If you want to change to supported sizes yes, you can change it by creating a new key with required size.
- Once a new key has been assigned to a resource, how can we validate that resource has the new/updated key?
- You can verify the key is changed/updated by going to the Disk Encryption Set (DES) of the correlated VM disk and verify that it is updated to new key and shows the new key in key in the properties from the Portal or PowerShell.
- This is the same for the storage account as well. Go to the Storage Account in the Azure Portal under "Access Keys":
https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-powershell#view-account-access-keys
Additional reading: