Azure Disk Encryption is a security feature provided by Microsoft Azure that helps safeguard data on Azure Virtual Machine disks using encryption. It employs industry-standard encryption methods to encrypt both the OS and data disks associated with Azure VMs, helping to protect sensitive information from unauthorized access.
- Data Protection: It encrypts the operating system and attached data disks, ensuring that data remains encrypted at rest to prevent unauthorized access even if someone gains physical access to the storage media.
- Integration with Azure Key Vault: Azure Disk Encryption uses keys stored in Azure Key Vault, providing a centralized management point for encryption keys and enabling secure key management separate from the encrypted data.
- Supported Disk Types: Azure Disk Encryption supports both managed and unmanaged disks and is compatible with Windows and Linux VMs across various Azure services.
Step 1 : Currently we have a Virtual Machine with OS and Data Disk attached to them, and the disks are under “Platform Managed Keys“.
Now we have to convert them to “Customer Managed Keys” for higher Data Encryption.
Step 2 : Now to start the process of encryption, lets create an Azure Key Vault. While creating the Key Vault enable the Purge Protection.
In the next section Select Vault access policy, now leave the other settings in Default and create the Azure Key Vault.
Step 3 : Now we have created a Key Vault, Lets create Key in Azure Key Vault.
Select the preferred Key size and create the keys
Step 4 : Now for Encrypting the Disk we need to create a “Disk Encryption Set“. While creating select the Azure Key Vault that is already created.
Once you created all the required resources Verify that Purge protection is Enabled in the Azure Key Vault
Step 5 : Click on the Required disk that you want to Encrypt and click on Encryption from the left side.
Now lets change the type from Platform Managed Keys to Customer Managed Keys. But we are getting an error here.
Step 6 : To solve the error move to Disk Encryption Set, we have have a pop up to allow permission from the key vault to provide Platform Managed Keys. Click on the option to allow.
Step 7 : Again lets navigate to the disk that we want to encrypt and select the Disk Encryption Set.
Now to process of Encrypting the disk is done.
Step 8 : Lets check weather the Disk Encryption has been moved to Customer Managed Keys.