Today, we announce the general availability of Azure disk encryption for Windows and Linux IaaS VMs in Azure Government cloud regions. With this announcement, Azure disk encryption for Windows and Linux IaaS Standard tier VMs (Std A, D, DS, G, GS etc series) is now generally available in all Azure Gov cloud regions to enable customers to protect the OS and data disk at rest using industry standard encryption technology.
Azure Disk Encryption is a capability that lets you encrypt your Windows and Linux IaaS VM disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data. It also can help you meet organizational security and compliance commitments.
The solution is integrated with Azure Key Vault to help you safeguard, control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.
The Azure Disk Encryption solution supports the following customer scenarios:
- Enable encryption on new IaaS VMs created from pre-encrypted VHD and encryption keys
- Enable encryption on new IaaS VMs created from the Azure Gallery images
- Enable encryption on existing IaaS VMs running in Azure
- Disable encryption on Windows IaaS VMs
- Disable encryption on data drives for Linux IaaS VMs
The solution supports the following for IaaS VMs when enabled in Microsoft Azure:
- Integration with Azure Key Vault
- Standard tier VMs – A, D, DS, G, GS etc series IaaS VMs
- Enable encryption on Windows and Linux IaaS VMs
- Disable encryption on OS and data drives for Windows IaaS VMs
- Disable encryption on data drives for Linux IaaS VMs
- Enable encryption on IaaS VMs running Windows Client OS
- Enable encryption on volumes with mount paths
- Enable encryption on Linux VMs configured with Software-based RAID system
- Enable encryption on Windows VMs configured with Storage Spaces
- All Azure Gov regions are supported
The solution does not support the following scenarios, features and technology in the release:
- Basic tier IaaS VMs
- Disable encryption on OS drive for Linux IaaS VMs
- IaaS VMs created using classic VM creation method
- Integration with your on-premises Key Management Service
- Azure Files (Azure file share), Network file system (NFS), Dynamic volumes, Windows VMs configured with Software-based RAID systems
For more details on scenario supported, user experiences enabled and prerequisites to enable Azure disk encryption, refer to the white paper located here
Frequently Asked Questions with Answers
Q: What user experiences are available with Azure Disk Encryption?
A: Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, Azure CLI. This gives you a lot of flexibility in that you have three different options for enabling disk encryption for your IaaS VMs. More details on the user experience and step by step guidance is available in the Azure Disk Encryption whitepaper.
Q: How much does Azure Disk Encryption cost?
A: There is no charge for encrypting VM disks with Azure Disk Encryption.
Q: What virtual machine tiers can I use Azure Disk Encryption with?
A: Azure Disk Encryption is available only on Standard Tier VMs including A, D, DS, G, GS etc series IaaS VMs including VMs with premium storage. It is not available on Basic Tier VMs.
Q: What Linux distributions are supported by Azure Disk Encryption?
A: Azure Disk Encryption support Red Hat Enterprise Linux, Ubuntu, CentOS, SUSE, SUSE Linux Enterprise Server (SLES) distributions. Linux OS disk encryption is currently supported on the following Linux distributions – RHEL 7.2, CentOS 7.2, Ubuntu 16.04. Linux data encryption is support on majority of the Linux distributions versions.
Q: How can I get started using Azure Disk Encryption?
A: Customers can learn how to get started by reading the Azure Disk Encryption whitepaper
Q: Does Azure Disk Encryption integrate with Azure Key Vault?
A: Yes, Azure Disk Encryption uses Azure Key Vault as its encryption key store to safeguard secrets and keys in your Key Vault subscription. The Key Vault instance where the keys are stored must be in the same region as the encrypted VM.
Q: Does Azure Disk Encryption enable a “bring your own key” (BYOK) capability?
A: Yes, you can supply your own key encryption keys. Those keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper
Q: Can I use Azure-created key encryption key?
A: Yes, you can use Azure Key vault to generate key encryption key for Azure disk encryption use. Those keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper
Q: Can I use on-premises key management service/HSM to safeguard the encryption keys?
A: You cannot use the on-premises key management service/HSM to safeguard the encryption keys with Azure disk encryption. You can only use the Azure key vault service to safeguard the encryption keys. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper
Q: Can I encrypt both boot and data volumes with Azure Disk Encryption?
A: Yes, you can encrypt boot and data volumes for Windows and Linux IaaS VMs.
Q: What are the prerequisites to configure Azure disk encryption
A:The Azure disk encryption prerequisite PowerShell script to create AAD application, create new key vault or setup existing key vault and enable encryption is located here
Q: Where can I get more information on how to use PowerShell for configuring Azure Disk Encryption?
A: We have some great articles on how you can perform basic Azure Disk Encryption tasks, as well as more advanced scenarios. For the basic tasks, check out Explore Azure Disk Encryption with Azure PowerShell. For more advanced scenarios, see Explore Azure Disk Encryption with Azure PowerShell – Part 2
Q: What version of Azure PowerShell is supported by Azure Disk Encryption?
A: Use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0
Q: Where can I get more information on how to use ARM templates for configuring Azure disk encryption?
A: The ARM templates to configure Azure disk encryption for Windows and Linux IaaS VMs are located here
Q: Where can I go to ask question or provide feedback?
A: You can provide ask questions or feedback on the Azure disk encryption forum here