BYOK / Azure Disk Encryption

Category: azure disk encryption


Amine.G on Sat, 23 Mar 2019 19:56:08


I'd like to ask few questions about Azure Disk Encryption when using BYOK scenarios :

  1. How to estimate the required number of transactions ( for Azure Key Vault pricing ).
  2. What do we loose if the on prem HSM is wiped or lost?
  3. Do we need the HSM to be always online? or just during KEK export?



SumanthMarigowda-MSFT on Mon, 25 Mar 2019 16:55:26

Apologies for the delay response!

  1.  For Azure key vault pricing estimates the customer will have to look at the "How're operations defined?" Section in the following link:

You will have to determine the estimates our self since we aren't able to provide estimates on our end for customer use cases. However, based off the operations on an encrypted Vm can you provide me below mentioned information?

-How many times will I need to restart my VM? (This will cause an unwrap operation)

-How many times do I plan on encrypting and decrypting?

-Do I have to create or update policies or certificates?

If you still find any difficulties in pricing, Free billing and subscription management support has been provided.

   2.   After exporting the key to Key Vault from the on-prem HSM, the HSM is no longer needed.  However, if the exported key is not kept safely somewhere, it cannot be exported from the Key Vault again and could be lost

   3. Just during the export.

Kindly let us know if the above helps or you need further assistance on this issue.


Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

SumanthMarigowda-MSFT on Wed, 27 Mar 2019 07:58:39

@Amine.G Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know