Server-side encryption with customer-managed keys for Azure Managed Disks is generally available
Published date: 01 April, 2020
Azure customers already benefit from server-side encryption with platform-managed keys for managed disks enabled by default. Server-side encryption with customer-managed keys improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. Today, customers can also use Azure Disk Encryption, which leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your virtual machines by encrypting data in the Storage service.
Server-side encryption with customer-managed keys is integrated with Azure Key Vault, which provides highly available and scalable secure storage for your keys backed by Hardware Security Modules. You can either bring your own keys (BYOK) to your Azure Key Vault or generate new keys