Disk Encryption Set and Key Vault Auto Rotation

Hi Robos,

Azure Disk Encryption (ADE) does not support key auto-rotation. When a key in Azure Key Vault is rotated, ADE continues to use the original key. If this key expires or is disabled, ADE cannot access it, causing VM deployment to fail.

When using Azure Disk Encryption (ADE) with a key vault, Although Azure Key Vault now has key auto-rotation, it isn't currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated. When a key is rotated in the key vault, Azure Disk Encryption will continue to use the original encryption key, even after the key has been auto-rotated. This means that if the original key is disabled or expired, Azure Disk Encryption will fail to access it, causing issues during VM deployment.

To address this problem, you should ensure that the original encryption key remains enabled and accessible for Azure Disk Encryption. If you want to use key rotation, you will need to manage the lifecycle of the keys carefully and ensure that the old key is not disabled until you are certain that all resources dependent on it have been updated to use the new key.

https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal#azure-disk-encryption-and-auto-rotation
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#automatic-key-rotation-of-customer-managed-keys

This should help prevent issues during VM deployment and ensure your encryption keys are managed effectively.

Hope the above suggestion helps! Please let us know do you have any further queries.

Please do consider to “Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.