How to do key rotation when using Azure Disk Encryption (ADE)

Question

Hi,

We are encrypting temporary disk of a linux VMs using ADE (Azure Disk Encryption) and storing some data in temporary disk. We know that for Linux VMs ADE for temporary disk is done using --encrypt-format-all feature as shown below.

az vm encryption enable --resource-group "MyVirtualMachineResourceGroup" --name "MySecureVM" --disk-encryption-keyvault "MySecureVault" --volume-type "data" --encrypt-format-all

Reference : https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux#:~:text=Azure%20Disk%20Encryption%20for%20Linux,when%20using%20the%20EncryptFormatAll%20feature

Now, to rotate the key, it's mentioned that we have to run the same command using a different key. This will lead to loss of data stored in temporary disk (due to EncryptFormatAll ) . Any other way to rotate the key for ADE without loosing data in temporary disk?

Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-faq#how-do-i-rotate-secrets-or-encryption-keys

Thanks,
-Rajesh

Answer 1

@Rajesh KATARAKI
Temporary disks are not meant to store persistent data and that data can be lost at anytime if there is a host issue or you stop and start the VM. Please note that encrypt-format-all feature also formats all mounted data disks. You will need to move data off the temporary disk prior to encrypting or re-encrypting.

Hope this helps. Let me know if you have further questions or issues and I will be happy to assist.

-------------------------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.