Create an encrypted image version with customer-managed keys
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets
Images in an Azure Compute Gallery (formerly known as Shared Image Gallery) are stored as snapshots. These images are automatically encrypted through server-side 256-bit encryption AES encryption. Server-side encryption is also FIPS 140-2 compliant. For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation.
You can rely on platform-managed keys for the encryption of your images, or use your own keys. You can also use both of these features together for doubled encryption. If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all disks in your images.
Server-side encryption through customer-managed keys uses Azure Key Vault. You can generate new RSA keys in Azure Key Vault.
Prerequisites
This article requires that you already have a disk encryption set in each region where you want to replicate your image:
To use only a customer-managed key, see the articles about enabling customer-managed keys with server-side encryption by using the Azure portal or PowerShell.
To use both platform-managed and customer-managed keys (for double encryption), see the articles about enabling double encryption at rest by using the Azure portal or PowerShell.
Important
You must use the link https://portal.azure.cn/?feature.enabledoubleencryption=true&feature.enablehostbasedencryption=true#home to access the Azure portal. Double encryption at rest is not currently visible in the public Azure portal unless you use that link.
Limitations
When you're using customer-managed keys for encrypting images in an Azure Compute Gallery, these limitations apply:
Encryption key sets must be in the same subscription as your image.
Encryption key sets are regional resources, so each region requires a different encryption key set.
After you've used your own keys to encrypt an image, you can't go back to using platform-managed keys for encrypting those images.
VM image version source doesn't currently support customer-managed key encryption.
Some of the features like replicating an SSE+CMK image, creating an image from SSE+CMK encrypted disk etc. are not supported through portal.
PowerShell
To specify a disk encryption set for an image version, use New-AzGalleryImageVersion with the -TargetRegion
parameter:
$sourceId = <ID of the image version source>
$osDiskImageEncryption = @{DiskEncryptionSetId='subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myDESet'}
$dataDiskImageEncryption1 = @{DiskEncryptionSetId='subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myDESet1';Lun=1}
$dataDiskImageEncryption2 = @{DiskEncryptionSetId='subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myDESet2';Lun=2}
$dataDiskImageEncryptions = @($dataDiskImageEncryption1,$dataDiskImageEncryption2)
$encryption1 = @{OSDiskImage=$osDiskImageEncryption;DataDiskImages=$dataDiskImageEncryptions}
$region1 = @{Name='China North';ReplicaCount=1;StorageAccountType=Standard_LRS;Encryption=$encryption1}
$ChinaEast2osDiskImageEncryption = @{DiskEncryptionSetId='subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myChinaEast2DESet'}
$ChinaEast2dataDiskImageEncryption1 = @{DiskEncryptionSetId='subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myChinaEast2DESet1';Lun=1}
$ChinaEast2dataDiskImageEncryption2 = @{DiskEncryptionSetId='subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.Compute/diskEncryptionSets/myChinaEast2DESet2';Lun=2}
$ChinaEast2DataDiskImageEncryptions = @($ChinaEast2dataDiskImageEncryption1,$ChinaEast2dataDiskImageEncryption2)
$encryption2 = @{OSDiskImage=$ChinaEast2osDiskImageEncryption;DataDiskImages=$ChinaEast2DataDiskImageEncryptions}
$region2 = @{Name='China East 2';ReplicaCount=1;StorageAccountType=Standard_LRS;Encryption=$encryption2}
$targetRegion = @($region1, $region2)
# Create the image
New-AzGalleryImageVersion `
-ResourceGroupName $rgname `
-GalleryName $galleryName `
-GalleryImageDefinitionName $imageDefinitionName `
-Name $versionName -Location $location `
-SourceImageId $sourceId `
-ReplicaCount 2 `
-StorageAccountType Standard_LRS `
-PublishingProfileEndOfLifeDate '2020-12-01' `
-TargetRegion $targetRegion
Create a VM
You can create a virtual machine (VM) from an Azure Compute Gallery and use customer-managed keys to encrypt the disks. The syntax is the same as creating a generalized or specialized VM from an image. Use the extended parameter set and add Set-AzVMOSDisk -Name $($vmName +"_OSDisk") -DiskEncryptionSetId $diskEncryptionSet.Id -CreateOption FromImage
to the VM configuration.
For data disks, add the -DiskEncryptionSetId $setID
parameter when you use Add-AzVMDataDisk.
CLI
To specify a disk encryption set for an image version, use az image gallery create-image-version with the --target-region-encryption
parameter. The format for --target-region-encryption
is a comma-separated list of keys for encrypting the OS and data disks. It should look like this: <encryption set for the OS disk>,<Lun number of the data disk>,<encryption set for the data disk>,<Lun number for the second data disk>,<encryption set for the second data disk>
.
If the source for the OS disk is a managed disk or a VM, use --managed-image
to specify the source for the image version. In this example, the source is a managed image that has an OS disk and a data disk at LUN 0. The OS disk will be encrypted with DiskEncryptionSet1, and the data disk will be encrypted with DiskEncryptionSet2.
az sig image-version create \
-g MyResourceGroup \
--gallery-image-version 1.0.0 \
--location chinanorth \
--target-regions chinanorth=2=standard_lrs chinaeast2 \
--target-region-encryption ChinaNorthDiskEncryptionSet1,0,ChinaNorthDiskEncryptionSet2 ChinaEast2DiskEncryptionSet1,0,ChinaEast2DiskEncryptionSet2 \
--gallery-name MyGallery \
--gallery-image-definition MyImage \
--managed-image "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/myImage"
If the source for the OS disk is a snapshot, use --os-snapshot
to specify the OS disk. Add any other data disk snapshots that should also be part of the image version. Use --data-snapshot-luns
to specify the LUN, and use --data-snapshots
to specify the snapshots.
In this example, the sources are disk snapshots. There's an OS disk and a data disk at LUN 0. The OS disk will be encrypted with DiskEncryptionSet1, and the data disk will be encrypted with DiskEncryptionSet2.
az sig image-version create \
-g MyResourceGroup \
--gallery-image-version 1.0.0 \
--location chinanorth\
--target-regions chinanorth=2=standard_lrs chinaeast2\
--target-region-encryption ChinaNorthDiskEncryptionSet1,0,ChinaNorthDiskEncryptionSet2 ChinaEast2DiskEncryptionSet1,0,ChinaEast2DiskEncryptionSet2 \
--os-snapshot "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/snapshots/myOSSnapshot" \
--data-snapshot-luns 0 \
--data-snapshots "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/snapshots/myDDSnapshot" \
--gallery-name MyGallery \
--gallery-image-definition MyImage
Create the VM
You can create a VM from an Azure Compute Gallery and use customer-managed keys to encrypt the disks. The syntax is the same as creating a generalized or specialized VM with the addition of the --os-disk-encryption-set
parameter. For data disks, add --data-disk-encryption-sets
with a space-delimited list of the disk encryption sets for the data disks.
Portal
When you create your image version in the portal, you can use the Encryption tab to apply your storage encryption sets.
- On the Create an image version page, select the Encryption tab.
- In Encryption type, select Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
- For each disk in the image, select an encryption set from the Disk encryption set drop-down list.
Create the VM
You can create a VM from an image version and use customer-managed keys to encrypt the disks. When you create the VM in the portal, on the Disks tab, select Encryption at-rest with customer-managed keys or Double encryption with platform-managed and customer-managed keys for Encryption type. You can then select the encryption set from the drop-down list.
Next steps
Learn more about server-side disk encryption.
For information about how to supply purchase plan information, see Supply Azure Marketplace purchase plan information when creating images.