Azure Disk Encryption White Paper Updated

Download the latest version of the Azure Disk Encryption Whitepaper


Please download the latest version of Azure PowerShell (currently 1.0.2) if you will use Azure Disk Encryption

Azure Disk Encryption is a new Azure Virtual Machine feature that makes it possible for you to encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for both the boot (system) and the data disks.

The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while making sure that all data on the virtual machine disks are encrypted at rest in your Azure storage.

Azure Disk Encryption for Azure Virtual Machines includes:

  • Disk encryption extension for Windows,
  • Disk encryption extension for Linux,
  • Disk encryption PowerShell cmdlets,
  • Disk encryption CLI cmdlets and
  • disk encryption Azure Resource Manager templates.

There is no charge for encrypting virtual machine disks with Azure Disk Encryption during the public preview. We also expect this to continue to be the case after Disk Encryption is generally available. However, pricing is subject to change based on market and competitive landscape.

The Azure Disk Encryption solution supports the following 3 customer encryption scenarios:

  1. Enable encryption on new IaaS VM’s created from Customer Encrypted VHD and encryption keys
  2. Enable encryption on new IaaS VM’s created from the Azure Gallery
  3. Enable encryption on existing IaaS VM’s already running in Azure

When you enable and deploy Azure disk encryption for Azure IaaS VMs, the following capabilities are enabled, depending on the configuration provided:

  • Encryption of OS volume to protect boot volume at rest in customer storage
  • Encryption of Data volume/s to protect the data volumes at rest in customer storage
  • Safeguarding the encryption keys and secrets in customer Azure key vault subscription
  • Reporting encryption status of the encrypted IaaS VM
  • Removal of disk encryption configuration settings from the IaaS virtual machine

Learn more about what Azure Disk Encryption is, what it does, prerequisites and how to configure it by reading the Azure Disk Encryption White Paper.


Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me!


Skip to main content