Use the Azure portal to enable double encryption at rest for managed disks

Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, as well as other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.

Getting started

  1. Sign in to the Azure portal.

    Important

    You must use the provided link to access the Azure portal. Double encryption at rest is not currently visible in the public Azure portal without using the link.

  2. Search for and select Disk Encryption Sets.

    Screenshot of the main Azure portal, disk encryption sets is highlighted in the search bar.

  3. Select + Add.

    Screenshot of the disk encryption set blade, + Add is highlighted.

  4. Select one of the supported regions.

  5. For Encryption type, select Double encryption with platform-managed and customer-managed keys.

    Note

    Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.

  6. Fill in the remaining info.

    Screenshot of the disk encryption set creation blade, regions and double encryption with platform-managed and customer-managed keys are highlighted.

  7. Select an Azure Key Vault and key, or create a new one if necessary.

    Note

    If you create a Key Vault instance, you must enable soft delete and purge protection. These settings are mandatory when using a Key Vault for encrypting managed disks, and protect you from losing data due to accidental deletion.

    Screenshot of the Key Vault creation blade.

  8. Select Create.

  9. Navigate to the disk encryption set you created, and select the error that is displayed. This will configure your disk encryption set to work.

    Screenshot of the disk encryption set displayed error, the error text is: To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault.

    A notification should pop up and succeed. Doing this will allow you to use the disk encryption set with your key vault.

    Screenshot of successful permission and role assignment for your key vault.

  10. Navigate to your disk.

  11. Select Encryption.

  12. For Encryption type, select Double encryption with platform-managed and customer-managed keys.

  13. Select your disk encryption set.

  14. select Save.

    Screenshot of the encryption blade for your managed disk, the aforementioned encryption type is highlighted.

You have now enabled double encryption at rest on your managed disk.

Next steps