0

I have an Azure VM. It has one OS disk and one data disk. If I go to its disks in Azure portal, I see encryption enabled with a platform-managed key

enter image description here

But when I run the below az command

az vm encryption show --name vm1 --resource-group rg1

Azure Disk Encryption is not enabled

so my question is are these two different encryptions? How do I enable Azure disk encryption using the platform managed key on the Azure portal? My goal is to enable encryption at the host.

Thanks in advance.

Maytham Fahmi
  • 31,138
  • 14
  • 118
  • 137
Abdullah
  • 39
  • 4

1 Answers1

0

Azure Disk Encryption is not enabled,My goal is to enable encryption at the host.

  1. Platform-managed disk encryption: This encryption is enabled at the platform level and is applied to the OS disk of the Virtual Machine. When you see "Encryption Enabled" on the disks in the Azure portal, it means that platform-managed disk encryption is turned on for those disks. This encryption is managed by Azure and uses a platform-managed key.

  2. Azure Disk Encryption: This is a specific feature in Azure that allows you to enable encryption at the OS level for virtual machines. It uses Azure Key Vault to store the encryption keys. When you run the az vm encryption show command, it checks whether Azure Disk Encryption is enabled for the virtual machine's OS disk.

Enabling platform-managed disk encryption at the platform level (as shown in the Azure portal) does not automatically enable Azure Disk Encryption for the VM's OS disk. These are separate features.

When I check the Disk encryption status before enabling ADE for the VM OS Disk, I also got the same result as you.

Result

enter image description here

To enable Azure Disk Encryption for the VM's OS disk. follow the below steps.

  1. Create an Azure Key Vault with the required permissions, and make sure to include the --key-permissions wrapKey permission to enable disk encryption.

  2. Once the Key Vault is created, enable Key Vault for disk encryption using the below command.

 az keyvault update --name "demovaulttest-test" --resource-group 'Imran' --enabled-for-disk-encryption "true"
  1. Encrypt a VM using a key vault using the below command.
az vm encryption enable --resource-group <rg-Name> --name <VM-Name> --disk-encryption-keyvault demovaulttest-test --volume-type ALL

Output:

enter image description here

Venkat V
  • 2,197
  • 1
  • 1
  • 10
  • Thank you @Venkat V. Couple of follow-up questions. 1- "encryption at the host" is "platform managed disk encryption" or " Azure disk encryption"? 2- I have to turn the "Azure disk encryption" on couple of VMs using terraform. Do you have any links which can help in this regard? – Abdullah Jul 28 '23 at 14:14
  • 1."Encryption at the host" typically refers to "Azure Disk Encryption" (ADE) with "Platform Managed Disk Encryption." This means that the encryption is done at the virtual machine (host) level using Azure's platform-managed keys. 2. I have to turn the "Azure disk encryption" on couple of VMs using terraform-Kindly raise the another thread for same. – Venkat V Jul 28 '23 at 14:42
  • Below link suggests that "Encryption at the host" and "Azure Disk Encryption" (ADE) are two different things. https://stackoverflow.com/questions/66652446/azure-disk-encryption-vs-encryption-at-host – Abdullah Jul 28 '23 at 15:53
  • "Encryption at the host" refers to Azure Disk Encryption, which encrypts your OS and data disks at the host level. Azure Disk Encryption can be enabled using either a platform-managed key or a customer-managed key1. Platform-managed disk encryption is a type of Azure Disk Encryption where the encryption keys are managed by Azure. With platform-managed disk encryption, you don't need to worry about managing the keys yourself, as Azure takes care of this for you. – Venkat V Jul 29 '23 at 03:13