Azure Disk Encryption for Windows Virtual Machines Reaches General Availability


Today we announce the general availability of Azure disk encryption for Windows IaaS VMs in all Azure public regions. With this announcement, Azure disk encryption for Windows IaaS VMs (Std A, D and G series VMs) is now generally available in all Azure public regions to enable customers to protect the IaaS VMs OS and data disk at rest using industry standard encryption technology. The general availability for Linux IaaS VMs will be coming soon.

Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux IaaS VM disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data. It also can help you meet organizational security and compliance commitments.

The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.

Encryption Scenarios

The Azure Disk Encryption solution supports the following customer encryption and decryption scenarios:

  1. Enable encryption on new IaaS VM’s created from pre-encrypted VHD and encryption keys
  2. Enable encryption on new IaaS VM’s created from the Azure Gallery images
  3. Enable encryption on existing IaaS VM’s already running in Azure
  4. Disable encryption on Windows IaaS VMs

The solution supports the following for IaaS VMs when enabled in Microsoft Azure:

  1. Integration with Azure Key Vault
  2. Standard A, D and G series IaaS VMs
  3. Enable encryption on Windows and Linux IaaS VMs
  4. Disable encryption on Windows IaaS VMs
  5. Enable encryption on IaaS VMs running Windows Client OS
  6. Enable encryption on volumes with mount paths

The solution does not support the following scenarios, features and technology in the release:

  1. Basic VMs and Standard DS (Premium Storage) series IaaS VMs
  2. IaaS VMs created using classic VM creation method
  3. Enable OS disk encryption on Linux IaaS VMs already running in Azure
  4. Disable encryption on Linux IaaS VM, enabled via Azure disk encryption
  5. Integration with your on-premises Key Management Service
  6. Windows Server Technical Preview 3 and above
  7. Azure Files (Azure file share), Network file system (NFS), Dynamic volumes, Software-based RAID systems

For more details on scenario supported, user experiences enabled and prerequisites to enable Azure disk encryption, refer to the white paper located at https://gallery.technet.microsoft.com/Azure-Disk-Encryption-for-a0018eb0

Frequently Asked Questions with Answers

Q. Which region is Azure disk encryption in GA?
A: Azure disk encryption for Windows IaaS VMs is available in GA in all Azure public regions. The general availability for Linux IaaS VMs will be coming soon. The Linux IaaS VMs solution is still in public preview.

Q: What user experiences are available with Azure Disk Encryption?
A: Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, Azure CLI. This gives you a lot of flexibility in that you have three different options for enabling disk encryption for your IaaS VMs. More details on the user experience and step by step guidance is available in the Azure Disk Encryption whitepaper.

Q: How much does Azure Disk Encryption cost?
A: There is no charge for encrypting VM disks with Azure Disk Encryption.

Q: What virtual machine tiers can I use Azure Disk Encryption with?
A: Azure Disk Encryption is available only on Standard Tier virtual machines, including A, D, and G Series VMs. It is not available on Basic Tier VMs.  DS Series (premium storage) VM support will be coming soon

Q: How can I get started using Azure Disk Encryption?
A: Customers can learn how to get started by reading the Azure Disk Encryption whitepaper

Q: Does Azure Disk Encryption integrate with Azure Key Vault?
A: Yes, Azure Disk Encryption uses Azure Key Vault as its encryption key store to safeguard secrets and keys in your Key Vault subscription. The Key Vault instance where the keys are stored must be in the same region as the encrypted VM.

Q: Does Azure Disk Encryption enable a “bring your own key” (BYOK) capability?
A: Yes, you can supply your own key encryption keys. Those keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper

Q: Can I use a Azure-created key encryption key?
A: Yes, you can use Azure Key vault to generate key encryption key for Azure disk encryption use. Those keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper

Q: Can I encrypt both boot and data volumes with Azure Disk Encryption?
A: Yes, you can encrypt boot and data volumes for Windows IaaS VMs.

Q: What are the prerequisites to configure Azure disk encryption
A:The Azure disk encryption prerequisite PowerShell script to create AAD application, create new key vault or setup existing key vault and enable encryption is located here

Q: Where can I get more information on how to use PowerShell for configuring Azure Disk Encryption?
A: We have some great articles on how you can perform basic Azure Disk Encryption tasks, as well as more advanced scenarios. For the basic tasks, check out Explore Azure Disk Encryption with Azure PowerShell. For more advanced scenarios, see Explore Azure Disk Encryption with Azure PowerShell – Part 2

Q: What version of Azure PowerShell is supported by Azure Disk Encryption?
A: Use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell . Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0

Q: Where can I get more information on how to use ARM templates for configuring Azure disk encryption?
A: The ARM templates to configure Azure disk encryption for Windows IaaS VMs are located here

Q: Where can I go to ask question or provide feedback
A: You can provide ask questions or feedback on the Azure disk encryption forum here


Comments (8)

  1. Great work Devendra, and Azure Security Team. It’s been great working with you and using this since very early. This is very important for customers we are working with.

    1. Thanks! The entire team appreciates your kind words!

  2. Michael Clark says:

    When will this be available in North America? Highly anticipated!

    1. You can use it now in public preview. It won’t be too long for NA. Stay tuned to this blog and you’ll find out first!

    2. Michael – The blog is updated to announce the general availability of Azure disk encryption for Windows IaaS VMs across all Azure public regions including North America.

  3. ljliu@msn.com says:

    Any news on when Bitlocker will be available to the Premium storage VMs?

    1. Hi Lee –
      Let me check on that.
      Thanks! -Tom.

    2. Hi Lee,
      Yes, Azure disk encryption support premium storage VMs for Windows IaaS VMs. The support is in preview currently. You can try out the premium storage support on your test or trial system and NOT on production workloads given that the support is in preview. Hope this answer your question.

      Thanks, Devendra