Link to home
Start Free TrialLog in
Avatar of KMS Lighthouse
KMS LighthouseFlag for Israel

asked on


Want to know if it possible to use Azure disk encryption with rotation key (SSE & CMK +ADE)

Avatar of btan


SSE - By default, managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) with a platform-managed key to protect the data on OS and data disks.  

CMK - SSE is comprised of several components and there are two choices when determining how encryption keys are managed. The two types are:
  1. Platform Managed Keys (PMK) - This is the default offering and setting when you create a managed disk. When you navigate to a virtual machine, click on the Disks of the VM, you will notice that the Encryption header states: SSE with PMK
  2. Customer Managed Keys (CMK) - CMK offers organizations that have the requirement to manage the encryption keys themselves the ability to bring their own keys to Key Vault (BYOK – Bring Your Own Key), or generate new ones, and use them to encrypt the desired resources. Server-side encryption for managed disks with customer-managed keys offers an integrated experience with Azure Key Vault. You can either import your RSA keys to your Key Vault or generate new RSA keys in Azure Key Vault. 

ADE - Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption. All Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server-side encryption at rest; some services additionally support customer-managed keys and client-side encryption.
Avatar of KMS Lighthouse
KMS Lighthouse
Flag of Israel image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for bringing this out. In fact ADE can still use "CMK" if key vault is used. 

The MS FAQ is useful too

Does Azure Disk Encryption allow you to bring your own key (BYOK)?

Yes, you can supply your own key encryption keys. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption keys support scenarios, see Creating and configuring a key vault for Azure Disk Encryption.

How do I rotate secrets or encryption keys?

To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption.
User generated image