This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Windows VMs. For more information about this service, see Azure Disk Encryption overview.
What is Azure Disk Encryption for Windows VMs?
Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disks. Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All. The content flows encrypted from the VM to the Storage backend. Thereby, providing end-to-end encryption with a customer-managed key.
Where is Azure Disk Encryption in general availability (GA)?
Azure Disk Encryption is in general availability in all Azure public regions.
What user experiences are available with Azure Disk Encryption?
Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, and Azure CLI. The different user experiences give you flexibility. You have three different options for enabling disk encryption for your VMs. For more information on the user experience and step-by-step guidance available in Azure Disk Encryption, see Azure Disk Encryption scenarios for Windows.
How much does Azure Disk Encryption cost?
There's no charge for encrypting VM disks with Azure Disk Encryption, but there are charges associated with the use of Azure Key Vault. For more information on Azure Key Vault costs, see the Key Vault pricing page.
How can I start using Azure Disk Encryption?
To get started, read the Azure Disk Encryption overview.
What VM sizes and operating systems support Azure Disk Encryption?
The Azure Disk Encryption overview article lists the VM sizes and VM operating systems that support Azure Disk Encryption.
Can I encrypt both boot and data volumes with Azure Disk Encryption?
You can encrypt both boot and data volumes, but you can't encrypt the data without first encrypting the OS volume.
Can I encrypt an unmounted volume with Azure Disk Encryption?
No, Azure Disk Encryption only encrypts mounted volumes.
What is Storage server-side encryption?
Storage server-side encryption encrypts Azure managed disks in Azure Storage. Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). You can manage encryption of managed disks with your own keys by specifying a customer-managed key. For more information, see Server-side encryption of Azure managed disks.
How is Azure Disk Encryption different from Storage server-side encryption with customer-managed key and when should I use each solution?
Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk with a customer-managed key.
- If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption.
- If your requirements include encrypting only data at rest with customer-managed key, then use Server-side encryption with customer-managed keys. You can't encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.
- If you're using a scenario called out in Restrictions, consider Server-side encryption with customer-managed keys.
- If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service.
How do I rotate secrets or encryption keys?
To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption.
Warning
- If you've previously used Azure Disk Encryption with Microsoft Entra app by specifying Microsoft Entra credentials to encrypt this VM, you must continue to use this option. Using Azure Disk Encryption without Microsoft Entra ID on a VM that's been encrypted using Azure Disk Encryption with Microsoft Entra ID isn't yet a supported scenario.
How do I add or remove a key encryption key (KEK) if I didn't originally use one?
To add a key encryption key, call the enable command again passing the key encryption key parameter. To remove a key encryption key, call the enable command again without the key encryption key parameter.
What size should I use for my key encryption key (KEK)?
Windows Server 2022 and Windows 11 include a newer version of BitLocker and currently doesn't work with RSA 2048 bit Key Encryption Keys. Until resolved, use an RSA 3072 or RSA 4096-bit keys, as described in Supported operating systems.
For earlier version of Windows, you may instead use RSA 2048 Key Encryption Keys.
Does Azure Disk Encryption allow you to bring your own key (BYOK)?
Yes, you can supply your own key encryption keys. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption keys support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.
Can I use an Azure-created key encryption key?
Yes, you can use Azure Key Vault to generate a key encryption key for Azure disk encryption use. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption key, see Creating and configuring a key vault for Azure Disk Encryption.
Can I use an on-premises key management service to safeguard the encryption keys?
You can't use the on-premises key management service to safeguard the encryption keys with Azure Disk Encryption. You can only use the Azure Key Vault service to safeguard the encryption keys. For more information on the key encryption key support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.
What are the prerequisites to configure Azure Disk Encryption?
There are prerequisites for Azure Disk Encryption. See the Creating and configuring a key vault for Azure Disk Encryption article to create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. For more information on the key encryption key support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.
What are the prerequisites to configure Azure Disk Encryption with a Microsoft Entra app (previous release)?
There are prerequisites for Azure Disk Encryption. See the Azure Disk Encryption with Microsoft Entra ID content to create an Microsoft Entra application, create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. For more information on the key encryption key support scenarios, see Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID.
Is Azure Disk Encryption using a Microsoft Entra app (previous release) still supported?
Yes. Disk encryption using a Microsoft Entra app is still supported. However, when encrypting new VMs it's recommended that you use the new method rather than encrypting with a Microsoft Entra app.
Can I migrate VMs that were encrypted with a Microsoft Entra app to encryption without a Microsoft Entra app?
Currently, there isn't a direct migration path for machines that were encrypted with a Microsoft Entra app to encryption without a Microsoft Entra app. Additionally, there isn't a direct path from encryption without a Microsoft Entra app to encryption with an AD app.
What version of Azure PowerShell does Azure Disk Encryption support?
Use the latest version of the Azure PowerShell SDK to configure Azure Disk Encryption. Download the latest version of Azure PowerShell. Azure Disk Encryption is not supported by Azure SDK version 1.1.0.
What is the disk "Bek Volume" or "/mnt/azure_bek_disk"?
The "Bek volume" is a local data volume that securely stores the encryption keys for Encrypted Azure VMs.
Note
Don't delete or edit any contents in this disk. Don't unmount the disk since the encryption key presence is needed for any encryption operations on the IaaS VM.
What encryption method does Azure Disk Encryption use?
Azure Disk Encryption selects the encryption method in BitLocker based on the version of Windows as follows:
Windows Versions | Version | Encryption Method |
---|---|---|
Windows Server 2012, Windows 10, or greater | >=1511 | XTS-AES 256 bit |
Windows Server 2012, Windows 8, 8.1, 10 | < 1511 | AES 256 bit * |
Windows Server 2008R2 | AES 256 bit with Diffuser |
* AES 256 bit with Diffuser isn't supported in Windows 2012 and later.
To determine Windows OS version, run the 'winver' tool in your virtual machine.
Can I backup and restore an encrypted VM?
Azure Backup provides a mechanism to back up and restore encrypted VMs within the same subscription and region. For instructions, see Back up and restore encrypted virtual machines with Azure Backup. Restoring an encrypted VM to a different region isn't currently supported.
Where can I go to ask questions or provide feedback?
You can ask questions or provide feedback on the Microsoft Q&A question page for Azure Disk Encryption.
Next steps
In this document, you learned more about the most frequent questions related to Azure Disk Encryption. For more information about this service, see the following articles: