VMs disk encryption : single key or multiple keys ? RRS feed

  • Question

  • Hello,

    We have multiple VMs (IAAS) on Azure mostly running Windows and some Linux.

    I created a Key Vault to prepare for Disk Encryption.

    I wanted to know what was the best practice : use ONE key for disk encryption for all the VMs or should I create a key in the Key Vault for each VM ?

    Could not find information on that subject anywhere so sorry if the question feels stupid.

    Thank you

    • Edited by wouli Tuesday, July 2, 2019 10:54 AM typo
    Tuesday, July 2, 2019 10:53 AM


  • Hello Wouli,

    Thanks for posting here!

    Make sure all the resources such as virtual machines and key vault are located in the same region and same subscription.

    Regarding the encrypting the multiple virtual machines with the same key which is stored in key vault can be possible.You can use the same and keyvault if you want to encrypt the multiple virtual machines. Azure Disk Encryption creates different secrets for each of the virtual machines that are associated to that key.

    I have reproduced same using the single key, i was able to encrypt the both virtual machines as shown below.

    Below is the powershell script to create a key vault and adding the key. Using the same key you can encrypt the virtual machines by changing the VM name in the script. Hope this helps you!

    $rgName = "your resource group name"
    $location = "your resource group location"
    Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"
    Get-AzResourceGroup -Location $location -Name $rgName
    $keyVaultName = "your key vault name"
    New-AzKeyVault -Location $location `
        -ResourceGroupName $rgName `
        -VaultName $keyVaultName `
    Add-AzKeyVaultKey -VaultName $keyVaultName `
        -Name "your key name" `
        -Destination "Software"
    $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
    $diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
    $keyVaultResourceId = $keyVault.ResourceId;
    $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name your key name).Key.kid;
    Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `
        -VMName "give your Vm name" `
        -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
        -DiskEncryptionKeyVaultId $keyVaultResourceId `
        -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
        -KeyEncryptionKeyVaultId $keyVaultResourceId 

    kindly, let us know if you need any further assistance on this

    Tuesday, July 2, 2019 2:06 PM