Enable double encryption at rest for managed disks

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️

Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, and other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.

Restrictions

Double encryption at rest isn't currently supported with either Ultra Disks or Premium SSD v2 disks.

Prerequisites

If you're going to use Azure CLI, install the latest Azure CLI and sign in to an Azure account with az login.

If you're going to use the Azure PowerShell module, install the latest Azure PowerShell version, and sign in to an Azure account using Connect-AzAccount.

Getting started

  1. Sign in to the Azure portal.

  2. Search for and select Disk Encryption Sets.

    Screenshot of the main Azure portal, disk encryption sets is highlighted in the search bar.

  3. Select + Create.

  4. Select one of the supported regions.

  5. For Encryption type, select Double encryption with platform-managed and customer-managed keys.

    Note

    Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.

  6. Fill in the remaining info.

    Screenshot of the disk encryption set creation blade, regions and double encryption with platform-managed and customer-managed keys are highlighted.

  7. Select an Azure Key Vault and key, or create a new one if necessary.

    Note

    If you create a Key Vault instance, you must enable soft delete and purge protection. These settings are mandatory when using a Key Vault for encrypting managed disks, and protect you from losing data due to accidental deletion.

    Screenshot of the Key Vault creation blade.

  8. Select Create.

  9. Navigate to the disk encryption set you created, and select the error that is displayed. This will configure your disk encryption set to work.

    Screenshot of the disk encryption set displayed error, the error text is: To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault.

    A notification should pop up and succeed. Doing this will allow you to use the disk encryption set with your key vault.

    Screenshot of successful permission and role assignment for your key vault.

  10. Navigate to your disk.

  11. Select Encryption.

  12. For Key management, select one of the keys under Platform-managed and customer-managed keys.

  13. select Save.

    Screenshot of the encryption blade for your managed disk, the aforementioned encryption type is highlighted.

You have now enabled double encryption at rest on your managed disk.

Next steps