Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

Encrypt disks with customer-managed keys in an Azure extended zone

In this article, you learn how to encrypt Azure managed disks with customer-managed keys (CMKs) for virtual machines (VMs) deployed in an Azure extended zone.

The process uses Azure Key Vault and a disk encryption set (DES).

Note

You can create a key vault and a DES by using either the Azure portal or the Azure CLI. Assigning a DES to disks for Azure Extended Zones workloads is currently supported only via the Azure CLI.

Prerequisites

High-level architecture context

When you use CMKs with Azure Extended Zones resources:

  • Control plane operations (Azure Resource Manager, Key Vault metadata, and DES) run in the parent Azure region.
  • Data plane resources (VMs and disks) run in the extended zone location.
  • Disk encryption is enforced at the managed disk level (data plane) by using a DES.

Create a key vault, encryption key, and DES in an Azure extended zone's parent region

In this section, you create a key vault, an encryption key, and DES in the parent region of an extended zone.

For this example, you choose which tool to use to create the encryption tools. Disk creation and encryption work only via the Azure CLI.

Create a key vault and an encryption key

To encrypt resources in an Azure extended zone, you must first create an Azure key vault and an RSA key in the parent Azure region associated with your extended zone. You can do this task by using the Azure portal. You can also use the Azure CLI or Azure PowerShell. When you create the key vault, ensure that the following tasks occurred:

  • All the resources belong to the same resource group.
  • Azure role-based access control is enabled.
  • Purge protection is enabled.
  • An RSA key (2048-bit or later) is created or imported.

Create a disk encryption set

Next, create a DES that references the Key Vault key. The DES must:

  • Be created in the same parent region as the key vault.
  • Use a system-assigned managed identity.

Grant the DES access to the Key Vault key by assigning it the Key Vault Crypto Service Encryption User role.

Deploy a virtual machine in an Azure extended zone

When you deploy a VM in an Azure extended zone, you must specify:

  • --location: The parent Azure region.
  • --edge-zone: The extended zone name.

The following example creates a Windows Server 2022 VM in the Los Angeles extended zone by using West US as the parent region.

az vm create --resource-group 'myResourceGroup' --name 'myVM' --image Win2022Datacenter --size Standard_DS4_v2 --admin-username 'username' --admin-password 'password' --edge-zone losangeles --location westus

Create an encrypted managed disk by using a DES (CLI only)

After you create the VM, create a managed disk encrypted with your DES. This step explicitly applies CMKs to the disk.

az disk create --resource-group 'myResourceGroup' --name 'myDisk' --edge-zone losangeles --location westus --size 64 --sku Premium_LRS --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set DES_ID

Verify disk encryption

Use the following command to confirm that the disk is encrypted with a CMK and associated with the correct DES:

az disk show -g 'myResourceGroup' -n 'myDisk' --query "{encryptionType:encryption.type, desId:encryption.diskEncryptionSetId}" -o json

Attach the encrypted disk to the VM

After verification, attach the encrypted disk to the VM by using the following command:

az vm disk attach --resource-group 'myResourceGroup' --vm-name 'myVM' --name 'myDisk'

Clean up resources

If you're finished working with resources from this tutorial, follow these instructions to delete the resource group and all the resources that it contains:

az group delete --name 'myResourceGroup' --yes --no-wait

Related content

Feedback

Was this page helpful?

Additional resources

  • Last updated on