
Azure Encryption at Host for Virtual Machine Scale Sets is a powerful tool that allows you to encrypt your virtual machine scale sets at the host level.
This means that the encryption happens before the data is even written to the disk, providing an additional layer of security for your sensitive data.
With Azure Encryption at Host, you can protect your data from unauthorized access, even in the event of a physical disk being removed from the host.
By encrypting your virtual machine scale sets, you can ensure that your data remains secure and compliant with regulatory requirements.
Worth a look: Azure App Service Encryption in Transit
Prerequisites
You must enable the feature for your subscription before you can use encryption at host for either your VM or Virtual Machine Scale Set.
Use the following steps to enable the feature for your subscription.
Azure Key Vault
Azure Key Vault is a secure way to store and manage encryption keys. It provides a centralized location for storing and managing keys, making it easier to control access and manage keys.
You can use Azure Key Vault to store both platform-managed and customer-managed keys. Platform-managed keys are used by default, while customer-managed keys offer greater flexibility in managing access controls.
Azure Key Vault can be created in the same region as your disk encryption set, and it's mandatory to enable purge protection when using a Key Vault for encrypting managed disks. This ensures that deleted keys cannot be permanently deleted until the retention period lapses.
Here are the required settings when creating an Azure Key Vault for encrypting managed disks:
Note that Azure Key Vault can also be used to manage keys across different subscriptions, making it easier to enforce and manage a robust security policy centrally.
Accessing a Key Vault Across Subscriptions
You can manage your Azure Key Vaults centrally from a single subscription, and use the keys stored in the Key Vault to encrypt managed disks and snapshots in other subscriptions in your organization.
You might like: Azure Key Vault
This allows your security team to enforce and easily manage a robust security policy to a single subscription. You can achieve this by using a key vault in a different subscription.
To configure a disk encryption set to use a key from a Key Vault in a different subscription, but same region, you'll need to use a specific script as an example.
The script provides a clear example of how to set up the configuration. Creating an Azure Key Vault and a disk encryption set is the first step in setting up customer-managed keys for your disks.
You'll need to create and set up an Azure Key Vault before setting up a disk encryption set.
For another approach, see: Azure Encryption at Rest
Platform-Managed Keys
Platform-Managed Keys are a convenient option for encryption in Azure.
By default, managed disks use platform-managed encryption keys, which automatically encrypt data at rest with no additional configuration required.
Platform-managed keys are the default option for encryption in Azure, making it easy to get started with encryption.
You might enjoy: Azure Blob Storage Encryption
All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted at rest with platform-managed keys.
This means you don't need to worry about managing keys or configuring encryption settings, as Azure takes care of it for you.
Here are some benefits of using platform-managed keys:
- Easy to use: Platform-managed keys require no additional configuration or management.
- Automatic encryption: Data is automatically encrypted at rest, ensuring your data is secure.
- No key management: You don't need to worry about managing keys or configuring encryption settings.
Platform-managed keys are a great option for those who want a simple and convenient encryption solution in Azure.
Key Management
Key Management is a crucial aspect of Azure Encryption at Host. In Azure, you can use two types of managed keys to encrypt and decrypt information: platform-managed keys and customer-managed keys.
Platform-managed keys are used by default for managed disks, and all managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted at rest with these keys.
Customer-managed keys offer greater flexibility to manage access controls, but you need to create an Azure Key Vault and a DiskEncryptionSet to use them.
For your interest: Azure Key Management
To create a DiskEncryptionSet, you need to have installed the latest Azure PowerShell version and be signed in to an Azure account.
Here's a list of the steps to create an Azure Key Vault and a DiskEncryptionSet:
- Create an instance of Azure Key Vault and encryption key. You must enable purge protection to prevent accidental deletion of keys.
- Create an instance of a DiskEncryptionSet. You can enable automatic rotation of the key, but it's not enabled by default.
- Grant the DiskEncryptionSet resource access to the key vault.
Note that both your Key Vault and your disk encryption set must be in the same region and be using the same tenant.
Customer-Managed VM Scale Set
To create a Customer-Managed VM Scale Set, you'll need to enable encryption at host using the API version 2020-06-01 and above.
This involves setting a new property EncryptionAtHost under securityProfile of VMs or Virtual Machine Scale Sets. You'll need to specify "true" as the value for encryptionAtHost.
You can create a Virtual Machine Scale Set with managed disks using the resource URI of the DiskEncryptionSet created earlier. This will encrypt the cache of OS and data disks with customer-managed keys. The temp disks, however, will be encrypted with platform-managed keys.
Customer-Managed VM Scale Set
To create a customer-managed VM Scale Set, you'll need to enable encryption at host using the API version 2020-06-01 and above. This involves setting a new property EncryptionAtHost under the securityProfile of your VM Scale Set.
You can also create a Virtual Machine Scale Set with encryption at host enabled with customer-managed keys, using the resource URI of the DiskEncryptionSet created earlier to encrypt cache of OS and data disks.
Setting up customer-managed keys for your disks requires you to create resources in a particular order, so make sure to create and set up an Azure Key Vault first. This will be the foundation for your disk encryption set.
To encrypt cache of OS and data disks with customer-managed keys, you'll need to use the resource URI of the DiskEncryptionSet you created earlier. This will ensure that your sensitive data is protected with the highest level of security.
Discover more: Dropbox Encrypted Folder
Virtual Machine Scale Set with Managed Keys
To create a Virtual Machine Scale Set with managed keys, you'll need to enable encryption at host with platform-managed keys. This is a straightforward process that can be completed in just a few steps.
You can create a Virtual Machine Scale Set with encryption at host enabled to encrypt cache of OS/data disks and temp disks with platform-managed keys. This is done by following the example in section 1 of the article section facts.
To enable platform-managed keys, you don't need to set up an Azure Key Vault and DiskEncryptionSet, as you would with customer-managed keys. This is a key difference between the two types of key management.
If you're using customer-managed keys, you'll need to create an Azure Key Vault and DiskEncryptionSet, which is outlined in section 2 of the article section facts. This process involves creating a Key Vault instance and enabling purge protection, as well as creating a DiskEncryptionSet instance and granting it access to the Key Vault.
For your interest: Microsoft Azure Government Iaas Security Challenges Article

Here's a summary of the key differences between platform-managed and customer-managed keys:
By choosing the right key management type for your Virtual Machine Scale Set, you can ensure that your data is secure and protected.
Finding Supported Sizes
To find the list of supported VM sizes for your Customer-Managed VM Scale Set, you can call the Resource Skus API and check that the EncryptionAtHostSupported capability is set to True.
You can also use the Get-AzComputeResourceSku PowerShell cmdlet to find supported VM sizes.
Legacy VM Sizes aren't supported, so make sure to only use the supported sizes to avoid any issues.
The supported sizes can be found by checking the API or using the PowerShell cmdlet, as mentioned earlier.
Related reading: Azure Powershell vs Cli
Azure Disk
Azure Disk is a crucial component of Azure encryption at host, providing volume encryption for OS and data disks of virtual machines (VMs). Azure Disk Encryption uses BitLocker for Windows and DM-Crypt for Linux to protect data.
Azure Disk Encryption is supported on both Generation 1 and Generation 2 VMs. It's also available for VMs with premium storage.
Azure Disk Encryption is integrated with Azure Key Vault to help manage disk encryption keys and secrets. This integration ensures that your data is secure and compliant with organizational security and compliance commitments.
To use customer-managed keys with Azure Disk Encryption, you need to create an Azure Key Vault and a DiskEncryptionSet. This requires installing the latest Azure PowerShell version and signing in to an Azure account.
You must also enable purge protection when creating the Key Vault instance. This setting ensures that deleted keys cannot be permanently deleted until the retention period lapses.
Here are the steps to create an Azure Key Vault and DiskEncryptionSet:
1. Create an instance of Azure Key Vault with purge protection enabled.
2. Create an encryption key in the Key Vault.
3. Create an instance of a DiskEncryptionSet, specifying the Key Vault and encryption key.
4. Grant the DiskEncryptionSet resource access to the Key Vault.
A different take: Dropbox Soc 2
Note: Both the Key Vault and DiskEncryptionSet must be in the same region and use the same tenant.
Encryption at host can be enabled for disks attached to VMs and Virtual Machine Scale Sets by setting the "EncryptionAtHost" property under the "securityProfile" of the VM or Virtual Machine Scale Set. This requires the API version 2020-06-01 and above.
You can create a Virtual Machine Scale Set with encryption at host enabled using platform-managed keys. This will encrypt the cache of OS and data disks, as well as temp disks.
Frequently Asked Questions
What is the difference between encryption at host and Azure disk encryption?
Azure Storage encryption and encryption at host are two different methods of encrypting data, with Azure Storage encryption applying to cloud-stored data, while encryption at host only encrypts data at the host level, not in the cloud. This distinction is crucial for understanding data protection in Azure managed disks.
How to check encryption at host in Azure?
To check encryption at host in Azure, sign in to the Azure portal and navigate to your Virtual Machine's Disks pane. Here, you can verify if encryption at host is enabled.
What is host-based encryption?
Host-based encryption is a feature that adds an extra layer of security to Azure Disk Storage by encrypting temporary disks and disk caches at rest and in transit. This ensures sensitive data is protected from unauthorized access.
Sources
- https://www.alifconsulting.com/post/azure-managed-disk-encryption
- https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-host-based-encryption-powershell
- https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal
- https://www.sebhook.com/2021/01/28/azure-host-based-encryption/
- https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_diskencryptionset_module.html
Featured Images: pexels.com