Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks

Azure Disk Storage allows you to manage your own keys when using server-side encryption (SSE) for managed disks, if you choose. For conceptual information on SSE with customer managed keys, as well as other managed disk encryption types, see the Customer-managed keys section of our disk encryption article:

Restrictions

For now, customer-managed keys have the following restrictions:

  • If this feature is enabled for your disk, you cannot disable it. If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys:

  • Only software and HSM RSA keys of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
    • HSM keys require the premium tier of Azure Key vaults.
  • Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys and must be in the same subscription.
  • Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
  • All resources related to your customer-managed keys (Azure Key Vaults, disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
  • Disks, snapshots, and images encrypted with customer-managed keys cannot move to another resource group and subscription.
  • Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
  • Can only create up to 1000 disk encryption sets per region per subscription.
  • For information about using customer-managed keys with shared image galleries, see Preview: Use customer-managed keys for encrypting images.

The following sections cover how to enable and use customer-managed keys for managed disks:

Setting up customer-managed keys for your disks will require you to create resources in a particular order, if you're doing it for the first time. First, you will need to create and set up an Azure Key Vault.

Set up your Azure Key Vault

  1. Sign into the Azure portal.

  2. Search for and select Key Vaults.

    Screenshot of the Azure portal with the search dialog box expanded.

    Important

    Your Azure key vault, disk encryption set, VM, disks, and snapshots must all be in the same region and subscription for deployment to succeed.

  3. Select +Add to create a new Key Vault.

  4. Create a new resource group.

  5. Enter a key vault name, select a region, and select a pricing tier.

    Note

    When creating the Key Vault instance, you must enable soft delete and purge protection. Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.

  6. Select Review + Create, verify your choices, then select Create.

    Screenshot of the Azure Key Vault creation experience. Showing the particular values you create

  7. Once your key vault finishes deploying, select it.

  8. Select Keys under Settings.

  9. Select Generate/Import.

    Screenshot of the Key Vault resource settings pane. Shows the generate/import button inside settings.

  10. Leave both Key Type set to RSA and RSA Key Size set to 2048.

  11. Fill in the remaining selections as you like and then select Create.

    Screenshot of the create a key blade that appears once generate/import button is selected

Add an Azure RBAC role

Now that you've created the Azure key vault and a key, you must add an Azure RBAC role, so you can use your Azure key vault with your disk encryption set.

  1. Select Access control (IAM) and add a role.
  2. Add either the Key Vault Administrator, Owner, or Contributor roles.

Set up your disk encryption set

  1. Search for Disk Encryption Sets and select it.

  2. On the Disk Encryption Sets blade select +Add.

    Screenshot of the disk encryption portal main screen. Highlighting the Add button

  3. Select your resource group, name your encryption set, and select the same region as your key vault.

  4. For Encryption type, select Encryption at-rest with a customer-managed key.

    Note

    Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.

  5. Select Click to select a key.

  6. Select the key vault and key you created previously, and the version.

  7. Press Select.

  8. Select Review + Create and then Create.

    Screenshot of the disk encryption creation blade. Showing the subscription, resource group, disk encryption set name, region, and key vault + key selector.

Deploy a VM

Now that you've created and set up your key vault and the disk encryption set, you can deploy a VM using the encryption. The VM deployment process is similar to the standard deployment process, the only differences are that you need to deploy the VM in the same region as your other resources and you opt to use a customer managed key.

  1. Search for Virtual Machines and select + Add to create a VM.

  2. On the Basic blade, select the same region as your disk encryption set and Azure Key Vault.

  3. Fill in the other values on the Basic blade as you like.

    Screenshot of the VM creation experience, with the region value highlighted.

  4. On the Disks blade, select Encryption at rest with a customer-managed key.

  5. Select your disk encryption set in the Disk encryption set drop-down.

  6. Make the remaining selections as you like.

    Screenshot of the VM creation experience, the disks blade. With the disk encryption set drop-down highlighted.

Enable on an existing disk

Caution

Enabling disk encryption on any disks attached to a VM will require that you stop the VM.

  1. Navigate to a VM that is in the same region as one of your disk encryption sets.

  2. Open the VM and select Stop.

    Screenshot of the main overlay for your example VM, with the Stop button highlighted.

  3. After the VM has finished stopping, select Disks and then select the disk you want to encrypt.

    Screenshot of your example VM, with the Disks blade open. The OS disk is highlighted, as an example disk for you to select.

  4. Select Encryption and select Encryption at rest with a customer-managed key and then select your disk encryption set in the drop-down list.

  5. Select Save.

    Screenshot of your example OS disk. The encryption blade is open, encryption at rest with a customer-managed key is selected, as well as your example Azure Key Vault. After making those selections, the save button is selected.

  6. Repeat this process for any other disks attached to the VM you'd like to encrypt.

  7. When your disks finish switching over to customer-managed keys, if there are no there no other attached disks you'd like to encrypt, you may start your VM.

Important

Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see Transferring a subscription between Azure AD directories.

Next steps