In this blog post, Devendra Tiwari, Principal Program Manager in the Azure Security Engineering team, let’s you know about a great new security capability in Microsoft Azure.
Today we are announcing public preview availability of Azure Disk Encryption for Windows and Linux IaaS VMs!
Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux IaaS VM disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data. It also can help you meet organizational security and compliance commitments.
The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.
The Azure Disk Encryption solution supports the following 3 customer encryption scenarios:
- Encryption of new IaaS VMs created from Customer Encrypted VHD and encryption keys
- Encryption of new IaaS VMs created from the Azure Gallery
- Encryption of existing IaaS VMs already running in Azure
In the Public Preview release, the Azure Disk Encryption solution supports the following for IaaS VMs when enabled in Microsoft Azure:
- Integration with Azure Key Vault
- Standard A, D and G series IaaS VMs
- Encryption of IaaS VMs created using the Azure Resource Manager model
- All Azure public regions
We are excited to have this very important feature available for public preview. The Azure Disk Encryption whitepaper paper provides detailed guidance on how to use the Azure Disk Encryption features, including key scenarios and the user experiences.
And for a quick start experience on how to use PowerShell to configure Azure Disk Encryption check out Explore Azure Disk Encryption with Azure PowerShell and Explore Azure Disk Encryption with Azure PowerShell – Part 2.
Please use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell version 1.2.1. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0
Your input is very important to us and we use it to evolve the service so that it gives you the features and capabilities you need. Please provide feedback and questions by visiting the Azure Disk Encryption MSDN forum.
If you don’t have an Azure subscription yet, it’s easy to get an Azure free trial so that you can test Azure Disk Encryption.
Give Azure Disk Encryption a try and let us know what you think!
Frequently Asked Questions with Answers
Q: What user experiences are available with Azure Disk Encryption?
A: Azure Disk Encryption public preview supports Azure Resource Manager templates, Azure PowerShell, Azure CLI. This gives you a lot of flexibility in that you have three different options for enabling disk encryption for your IaaS VMs. More details on the user experience and step by step guidance is available in the Azure Disk Encryption whitepaper.
Q: How much does Azure Disk Encryption cost?
A: There is no charge for encrypting VM disks with Azure Disk Encryption during the public preview. We expect this to continue to be the case after Disk Encryption is generally available. However, pricing is subject to change based on market and competitive landscape.
Q: What virtual machine tiers can I use Azure Disk Encryption with?
A: Azure Disk Encryption is available only on Standard Tier virtual machines, including A, D, and G Series VMs. It is not available on Basic Tier VMs. DS Series (premium storage) VM support will be available come post public preview
Q: How can I get started using Azure Disk Encryption?
A: Customers can learn how to get started by reading the Azure Disk Encryption whitepaper
Q: Does Azure Disk Encryption integrate with Azure Key Vault?
A: Yes, Azure Disk Encryption uses Azure Key Vault as its encryption key store to safeguard secrets and keys in your Key Vault subscription
Q: Does Azure Disk Encryption enable a "bring your own key" (BYOK) capability?
A: Yes, you can supply your own key encryption keys. Those keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper
Q: Can I encrypt both boot and data volumes with Azure Disk Encryption?
A: Yes, you can!
Q: What Azure regions is Azure Disk Encryption available in?
A: Azure Disk Encryption is available in all public Azure regions. The Key Vault instance where the keys are stored must be in the same region as the encrypted VM.
Q: Where can I get more information on how to use PowerShell for configuring Azure Disk Encryption?
A: We have some great articles on how you can perform basic Azure Disk Encryption tasks, as well as more advanced scenarios. For the basic tasks, check out Explore Azure Disk Encryption with Azure PowerShell. For more advanced scenarios, see Explore Azure Disk Encryption with Azure PowerShell – Part 2
Q: What version of Azure PowerShell is supported by Azure Disk Encryption?
A: Use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell version 1.2.1. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0.
Principal Program Manager, Azure Security Engineering