Enable double encryption at rest for managed disks

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️

Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, and other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.

Restrictions

Double encryption at rest isn't currently supported with either Ultra Disks or Premium SSD v2 disks.

Prerequisites

If you're going to use Azure CLI, install the latest Azure CLI and sign in to an Azure account with az login.

If you're going to use the Azure PowerShell module, install the latest Azure PowerShell version, and sign in to an Azure account using Connect-AzAccount.

Getting started

Azure portal

1. Sign in to the Azure portal.

2. Search for and select Disk Encryption Sets.

   

3. Select + Create.

4. Select one of the supported regions.

5. For Encryption type, select Double encryption with platform-managed and customer-managed keys.

   Note

   Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.

6. Fill in the remaining info.

   

7. Select an Azure Key Vault and key, or create a new one if necessary.

   Note

   If you create a Key Vault instance, you must enable soft delete and purge protection. These settings are mandatory when using a Key Vault for encrypting managed disks, and protect you from losing data due to accidental deletion.

   

8. Select Create.

9. Navigate to the disk encryption set you created, and select the error that is displayed. This will configure your disk encryption set to work.

   

   A notification should pop up and succeed. Doing this will allow you to use the disk encryption set with your key vault.

   

10. Navigate to your disk.

11. Select Encryption.

12. For Key management, select one of the keys under Platform-managed and customer-managed keys.

13. select Save.

    

You have now enabled double encryption at rest on your managed disk.

Azure CLI

1. Create an instance of Azure Key Vault and encryption key.

   When creating the Key Vault instance, you must enable soft delete and purge protection. Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). Purge protection ensures that a deleted key can't be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.

   subscriptionId=yourSubscriptionID
   rgName=yourResourceGroupName
   location=westcentralus
   keyVaultName=yourKeyVaultName
   keyName=yourKeyName
   diskEncryptionSetName=yourDiskEncryptionSetName
   diskName=yourDiskName
   
   az account set --subscription $subscriptionId
   
   az keyvault create -n $keyVaultName -g $rgName -l $location --enable-purge-protection true --enable-soft-delete true
   
   az keyvault key create --vault-name $keyVaultName -n $keyName --protection software
   

2. Get the key URL of the key you created with az keyvault key show.

   az keyvault key show --name $keyName --vault-name $keyVaultName
   

3. Create a DiskEncryptionSet with encryptionType set as EncryptionAtRestWithPlatformAndCustomerKeys. Replace yourKeyURL with the URL you received from az keyvault key show.

   az disk-encryption-set create --resource-group $rgName --name $diskEncryptionSetName --key-url yourKeyURL --source-vault $keyVaultName --encryption-type EncryptionAtRestWithPlatformAndCustomerKeys
   

4. Grant the DiskEncryptionSet resource access to the key vault.

Note

It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Microsoft Entra ID. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv)

az keyvault set-policy -n $keyVaultName -g $rgName --object-id $desIdentity --key-permissions wrapkey unwrapkey get

Azure PowerShell

1. Create an instance of Azure Key Vault and encryption key.

   When creating the Key Vault instance, you must enable soft delete and purge protection. Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). Purge protection ensures that a deleted key can't be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.

   $ResourceGroupName="yourResourceGroupName"
   $LocationName="westus2"
   $keyVaultName="yourKeyVaultName"
   $keyName="yourKeyName"
   $keyDestination="Software"
   $diskEncryptionSetName="yourDiskEncryptionSetName"
   
   $keyVault = New-AzKeyVault -Name $keyVaultName -ResourceGroupName $ResourceGroupName -Location $LocationName -EnableSoftDelete -EnablePurgeProtection
   
   $key = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $keyName -Destination $keyDestination  
   

2. Retrieve the URL for the key you created, you'll need it for subsequent commands. The ID output from Get-AzKeyVaultKey is the key URL.

   Get-AzKeyVaultKey -VaultName $keyVaultName -KeyName $keyName
   

3. Get the resource ID for the Key Vault instance you created, you'll need it for subsequent commands.

   Get-AzKeyVault -VaultName $keyVaultName
   

4. Create a DiskEncryptionSet with encryptionType set as EncryptionAtRestWithPlatformAndCustomerKeys. Replace yourKeyURL and yourKeyVaultURL with the URLs you retrieved earlier.

   $config = New-AzDiskEncryptionSetConfig -Location $locationName -KeyUrl "yourKeyURL" -SourceVaultId 'yourKeyVaultURL' -IdentityType 'SystemAssigned'
   
   $config | New-AzDiskEncryptionSet -ResourceGroupName $ResourceGroupName -Name $diskEncryptionSetName -EncryptionType EncryptionAtRestWithPlatformAndCustomerKeys
   

5. Grant the DiskEncryptionSet resource access to the key vault.

   Note

   It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Microsoft Entra ID. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.

   $des=Get-AzDiskEncryptionSet -name $diskEncryptionSetName -ResourceGroupName $ResourceGroupName
   Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $des.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
   

Next steps

• Azure PowerShell - Enable customer-managed keys with server-side encryption - managed disks
• Azure Resource Manager template samples
• Enable customer-managed keys with server-side encryption - Examples