Use the Azure portal to enable double encryption at rest for managed disks
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️
Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, and other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.
Restrictions
Double encryption at rest isn't currently supported with either Ultra Disks.
Getting started
Sign in to the Azure portal.
Search for and select Disk Encryption Sets.
Select + Create.
Select one of the supported regions.
For Encryption type, select Double encryption with platform-managed and customer-managed keys.
Note
Once you create a disk encryption set with a particular encryption type, it cannot be changed. If you want to use a different encryption type, you must create a new disk encryption set.
Fill in the remaining info.
Select an Azure Key Vault and key, or create a new one if necessary.
Note
If you create a Key Vault instance, you must enable soft delete and purge protection. These settings are mandatory when using a Key Vault for encrypting managed disks, and protect you from losing data due to accidental deletion.
Select Create.
Navigate to the disk encryption set you created, and select the error that is displayed. This will configure your disk encryption set to work.
A notification should pop up and succeed. Doing this will allow you to use the disk encryption set with your key vault.
Navigate to your disk.
Select Encryption.
For Encryption type, select Double encryption with platform-managed and customer-managed keys.
Select your disk encryption set.
select Save.
You have now enabled double encryption at rest on your managed disk.