Azure Disk Encryption for Windows VM's using custom images

Category: azure disk encryption

Question

Mike Barratt on Wed, 18 Apr 2018 09:56:10


Can you confirm if Azure Disk Encryption (ADE) is supported for existing Windows IAAS vm's created using custom images.  There appears to be conflicting information in two documents as below, unless I'm reading it incorrectly;

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption states;

  • Enable encryption on Windows and Linux IaaS VMs customer custom images is NOT supported.

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/encrypt-disks states;

Supported scenarios and requirements for disk encryption:

  • Enabling encryption on new Windows VMs from Azure Marketplace images or custom VHD image.

Can you confirm if ADE is supported or not on Windows IAAS custom images?

Many thanks

Mike


Replies

vikranth s on Wed, 18 Apr 2018 17:00:57


Windows OS in general should be supported.

Which version of Windows are you using?

Mike Barratt on Wed, 18 Apr 2018 17:09:21


Windows 2012 R2

vikranth s on Wed, 18 Apr 2018 17:15:02


Thanks for pointing this, we will update the document. Azure Disk Encryption is fully supported for Windows Server 2012 R2.

“If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here


Brians54321 on Thu, 31 May 2018 16:04:47


Hi Mike - don't know if you ever got an answer to these, but those two links that you provide are for two different things.  One is Azure Disk Encryption (ADE), or "Encryption as a Service."  The other is bitlockering your own VM, and doesn't mention ADE at all.  ADE is not supported for custom images, as MS have no control over things like partitions.

Klaus Hahn on Wed, 10 Oct 2018 11:19:20


Hi,

this is a very interesting topic. From a regulation topic a customer needs to encrypt all data which is uploaded to the cloud. That means VHDs which you upload to Azure should be encrypted already.
From these VHDs a Custom image needs to be created. Based on this Image VMs with ADE should be deployed.

Anyone here had this requirement already?

At the moment we are not sure how to encrypt these VHDs on customer site and how Azure can use them in a Custom image.

Azure would need to decrypt the VHDs during a Image deployment and encrypt the newly created VM with ADE after deployment.

Not sure if this will ever possible.

Regards,
Klaus


Klaus Hahn on Wed, 10 Oct 2018 12:31:59


Hi,

this is a very interesting topic. From a regulation topic a customer needs to encrypt all data which is uploaded to the cloud. That means VHDs which you upload to Azure should be encrypted already.
From these VHDs a Custom image needs to be created. Based on this Image VMs with ADE should be deployed.

Anyone here had this requirement already?

At the moment we are not sure how to encrypt these VHDs on customer site and how Azure can use them in a Custom image.

Azure would need to decrypt the VHDs during a Image deployment and encrypt the newly created VM with ADE after deployment.

Not sure if this will ever possible.

Regards,
Klaus


Update:

I did found this article about how to prepare an encrypted VHD:
https://docs.microsoft.com/en-US/azure/security/azure-security-disk-encryption-appendix

This only describes the way of encrypting the Startup volume. What about the an second disk/data disk?

Help would be appreciated.