Use the Azure portal to enable end-to-end encryption using encryption at host
When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. For conceptual information on encryption at host, as well as other managed disk encryption types, see:
- Does not support ultra disks.
- Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/VM-Decrypt) is enabled on your VMs/virtual machine scale sets.
- Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
- The encryption can be enabled on existing virtual machine scale set. However, only new VMs created after enabling the encryption are automatically encrypted.
- Existing VMs must be deallocated and reallocated in order to be encrypted.
Supported VM sizes
All the latest generation of VM sizes support encryption at host:
|General purpose||Dv3, Dv2, Av2||B, DSv2, Dsv3, DC, DCv2, Dav4, Dasv4|
|Memory optimized||Ev3||DSv2, Esv3, M, Mv2, Eav4, Easv4|
|Storage optimized||Ls, Lsv2 (NVMe disks not encrypted)|
|GPU||NC, NV||NCv2, NCv3, ND, NVv3, NVv4, NDv2 (preview)|
|High performance compute||H||HB, HC, HBv2|
|Previous generations||F, A, D, L, G||DS, GS, Fs, NVv2|
You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Please follow the steps below to enable the feature for your subscription:
Azure portal: Select the Cloud Shell icon on the Azure portal:
Execute the following command to register the feature for your subscription
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
Please check that the registration state is Registered (takes a few minutes) using the command below before trying out the feature.
Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
Sign in to the Azure portal using the provided link.
You must use the provided link to access the Azure portal. Encryption at host is not currently visible in the public Azure portal without using the link.
Create an Azure Key Vault and disk encryption set
Once the feature is enabled, you'll need to set up an Azure Key Vault and a disk encryption set, if you haven't already.
Setting up customer-managed keys for your disks will require you to create resources in a particular order, if you're doing it for the first time. First, you will need to create and set up an Azure Key Vault.
Set up your Azure Key Vault
Sign into the Azure portal.
Search for and select Key Vaults.
Your Azure key vault, disk encryption set, VM, disks, and snapshots must all be in the same region and subscription for deployment to succeed.
Select +Add to create a new Key Vault.
Create a new resource group.
Enter a key vault name, select a region, and select a pricing tier.
When creating the Key Vault instance, you must enable soft delete and purge protection. Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). Purge protection ensures that a deleted key cannot be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.
Select Review + Create, verify your choices, then select Create.
Once your key vault finishes deploying, select it.
Select Keys under Settings.
Leave both Key Type set to RSA and RSA Key Size set to 2048.
Fill in the remaining selections as you like and then select Create.
Set up your disk encryption set
Search for Disk Encryption Sets and select it.
On the Disk Encryption Sets blade select +Add.
Select your resource group, name your encryption set, and select the same region as your key vault.
For Encryption type select Encryption at-rest with a customer-managed key.
Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.
Select Click to select a key.
Select the key vault and key you created previously, as well as the version.
Select Review + Create and then Create.
Open the disk encryption set once it finishes creating and select the alert that pops up.
Two notifications should pop up and succeed. This allows you to use the disk encryption set with your key vault.
Deploy a VM
You must deploy a new VM to enable encryption at host, it cannot be enabled on existing VMs.
Search for Virtual Machines and select + Add to create a VM.
Create a new virtual machine, select an appropriate region and a supported VM size.
Fill in the other values on the Basic blade as you like, then proceed to the Disks blade.
On the Disks blade, select Yes for Encryption at host.
Make the remaining selections as you like.
Finish the VM deployment process, make selections that fit your environment.
You have now deployed a VM with encryption at host enabled, all its associated disks will be encrypted using encryption at host.