{"id":716,"date":"2020-04-02T00:00:00","date_gmt":"2020-04-02T00:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks"},"modified":"2025-06-29T22:55:42","modified_gmt":"2025-06-30T05:55:42","slug":"announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/","title":{"rendered":"Announcing server-side encryption with customer-managed keys for Azure Managed Disks"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Today, we&#8217;re announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers already benefit from SSE with <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-managed-disks-sse\/\" target=\"_blank\" rel=\"noopener\">platform-managed keys<\/a>&nbsp;for Managed Disks enabled by default. SSE with CMK improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Today, customers can also use <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security\/azure-security-disk-encryption-overview\" target=\"_blank\" rel=\"noopener\">Azure Disk Encryption<\/a>, which leverages the Windows <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/information-protection\/bitlocker\/bitlocker-overview\" target=\"_blank\" rel=\"noopener\">BitLocker<\/a> feature and the Linux <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dm-crypt\" target=\"_blank\" rel=\"noopener\">dm-crypt<\/a> feature to encrypt Managed Disks with CMK within the guest virtual machine (VM). SSE with CMK improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your VMs by encrypting data in the Azure Storage service.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSE with CMK is integrated with <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/key-vault\/\" target=\"_blank\" rel=\"noopener\">Azure Key Vault<\/a>, which provides highly available and scalable secure storage for your keys backed by Hardware Security Modules. You can either <a href=\"https:\/\/docs.microsoft.com\/azure\/key-vault\/key-vault-hsm-protected-keys\" target=\"_blank\" rel=\"noopener\">bring your own keys (BYOK)<\/a> to your Key Vault or generate new keys in the Key Vault.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"about-the-key-management\">About the key management<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Managed Disks are encrypted and decrypted transparently using 256-bit Advanced Encryption Standard (AES) encryption, one of the strongest block ciphers available. The Storage service handles the encryption and decryption in a fully transparent fashion using envelope encryption. It encrypts data using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Advanced_Encryption_Standard\" target=\"_blank\" rel=\"noopener\">256-bit AES-based data encryption keys<\/a>, which are, in turn, protected using your keys stored in a Key Vault.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Storage service generates data encryption keys and encrypts them with CMK using RSA encryption. The envelope encryption allows you to rotate (change) your keys periodically as per your compliance policies without impacting your VMs. When you rotate your keys, the Storage service re-encrypts the data encryption keys with the new CMK.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"full-control-of-your-keys\">Full control of your keys<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You are in full control of your keys in your Key Vault. Managed Disks uses <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/managed-identities-azure-resources\/overview\" target=\"_blank\" rel=\"noopener\">system-assigned managed identity<\/a> in your Azure Active Directory (Azure AD) for accessing keys in Key Vault. An administrator with required permissions in the Key Vault must first grant access to Managed Disks in Key Vault to use the keys for encrypting and decrypting the data encryption key. You can prevent Managed Disks from accessing your keys by either disabling your keys or by revoking access controls for your keys\u2014doing so for disks attached to running VMs will cause the VMs to fail. Moreover, you can track the key usage through Key Vault monitoring to ensure that only Managed Disks or other trusted Azure services are accessing your keys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"availability-of-sse-with-cmk\">Availability of SSE with CMK<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">SSE with CMK is available for Standard HDD, Standard SSD, and Premium SSD Managed Disks that can be attached to Azure Virtual Machines and VM scale sets. Ultra Disk Storage support will be announced separately. SSE with CMK is now enabled in all the public and Azure Government regions and will be available in the regions in Germany (Sovereign) and China in a few weeks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can use Azure Backup to back up your VMs using Managed Disks encrypted with SSE with CMK. Also, you can choose to encrypt the backup data in your Recovery Services vaults using your keys stored in your Key Vault instead of platform-managed keys available by default. Refer to documentation for more details on the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/backup\/backup-azure-security-feature-cloud#encryption-of-backup-data-using-customer-managed-keys\" target=\"_blank\" rel=\"noopener\">encryption of backups using CMK<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can use Azure Site Recovery to replicate your Azure virtual machines that have Managed Disks encrypted with SSE with CMK to other Azure regions for disaster recovery. You can also replicate your on-premises virtual machines to Managed Disks encrypted with SSE with CMK in Azure. Learn more about <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/site-recovery\/azure-to-azure-how-to-enable-replication-cmk-disks\" target=\"_blank\" rel=\"noopener\">replicating your virtual machines using Managed Disks encrypted with SSE with CMK<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"get-started\">Get started<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To enable the encryption with CMK for Managed Disks, you must first create an instance of a new resource type called DiskEncryptionSet and then grant the instance access to the key Vault. DiskEncryptionSet represents a key in your Key Vault and allows you to reuse the same key for encrypting many disks, snapshots, and images with the same key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s look at an example of creating an instance of DiskEncryptionSet:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. Create an instance of DiskEncryptionSet by specifying a key in your Key Vault.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>keyVaultId=$(az keyvault show --name yourKeyVaultName --query [id] -o tsv)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>keyVaultKeyUrl=$(az keyvault key show --vault-name yourKeyVaultName --name yourKeyName --query [key.kid] -o tsv)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>az disk-encryption-set create -n yourDiskEncryptionSetName -l WestCentralUS -g yourResourceGroupName --source-vault $keyVaultId --key-url $keyVaultKeyUrl<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2. Grant the instance access to the Key Vault. When you created the instance, the system automatically created a <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/managed-identities-azure-resources\/overview\" target=\"_blank\" rel=\"noopener\">system-assigned managed identity<\/a> in your Azure AD and associated the identity with the instance. The identity must have access to the Key Vault to perform required operations such as wrapkey, unwrapkey and get.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>desIdentity=$(az disk-encryption-set show -n yourDiskEncryptionSetName -g yourResourceGroupName --query [identity.principalId] -o tsv)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>az keyvault set-policy -n yourKeyVaultName -g yourResourceGroupName --object-id $desIdentity --key-permissions wrapkey unwrapkey get<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>az role assignment create --assignee $desIdentity --role Reader --scope $keyVaultId<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You are ready to enable the encryption for disks, snapshots, and images by associating them with the instance of DiskEncryptionSet. There is no restriction on the number of resources that can be associated with the same DiskEncryptionSet.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s look at an example of enabling for an existing disk:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. To enable the encryption for disks attached to a VM, you must stop(deallocate) a virtual machine.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>az vm stop --resource-group MyResourceGroup --name MyVm<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2. Enable the encryption for an attached disk by associating it with the instance of DiskEncryptionSet.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>diskEncryptionSetId=$(az disk-encryption-set show -n yourDiskEncryptionSetName -g yourResourceGroupName --query [id] -o tsv)<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>az disk update -n yourDiskEncryptionSetName -g yourResourceGroupName --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set $diskEncryptionSetId<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">3. Start the VM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>az vm start -g MyResourceGroup -n MyVm<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Refer to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-machines\/windows\/disk-encryption\" target=\"_blank\" rel=\"noopener\">Managed Disks documentation<\/a> for detailed instructions on enabling server side encryption with CMK for Managed Disks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"send-us-your-feedback\">Send us your feedback<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We look forward to hearing your feedback for SSE with CMK. Please email <a href=\"mailto:AzureDisks@microsoft.com\">us here<\/a>.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","footnotes":"","msx_community_cta_settings":[]},"categories":[1459],"tags":[],"audience":[3053,3056],"content-type":[1465],"product":[1478],"tech-community":[],"topic":[],"coauthors":[316],"class_list":["post-716","post","type-post","status-publish","format-standard","hentry","category-security","audience-it-decision-makers","audience-it-implementors","content-type-announcements","product-key-vault","review-flag-1680286584-658","review-flag-1-1680286581-825","review-flag-2-1680286581-601","review-flag-3-1680286581-173","review-flag-gener-1680286584-335","review-flag-new-1680286579-546","review-flag-vm-1680286585-143"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Announcing server-side encryption with customer-managed keys for Azure Managed Disks | Microsoft Azure Blog<\/title>\n<meta name=\"description\" content=\"Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Announcing server-side encryption with customer-managed keys for Azure Managed Disks | Microsoft Azure Blog\" \/>\n<meta property=\"og:description\" content=\"Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Azure Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/microsoftazure\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-02T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-30T05:55:42+00:00\" \/>\n<meta name=\"author\" content=\"Raman Kumar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@azure\" \/>\n<meta name=\"twitter:site\" content=\"@azure\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Raman Kumar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\"},\"author\":[{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/raman-kumar\/\",\"@type\":\"Person\",\"@name\":\"Raman Kumar\"}],\"headline\":\"Announcing server-side encryption with customer-managed keys for Azure Managed Disks\",\"datePublished\":\"2020-04-02T00:00:00+00:00\",\"dateModified\":\"2025-06-30T05:55:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\"},\"wordCount\":868,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\",\"name\":\"Announcing server-side encryption with customer-managed keys for Azure Managed Disks | Microsoft Azure Blog\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\"},\"datePublished\":\"2020-04-02T00:00:00+00:00\",\"dateModified\":\"2025-06-30T05:55:42+00:00\",\"description\":\"Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.\",\"breadcrumb\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog home\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Announcing server-side encryption with customer-managed keys for Azure Managed Disks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"name\":\"Microsoft Azure Blog\",\"description\":\"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.\",\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\",\"name\":\"Microsoft Azure Blog\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Azure Blog\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/microsoftazure\",\"https:\/\/x.com\/azure\",\"https:\/\/www.instagram.com\/microsoftdeveloper\/\",\"https:\/\/www.linkedin.com\/company\/16188386\",\"https:\/\/www.youtube.com\/user\/windowsazure\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117\",\"name\":\"shakir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"caption\":\"shakir\"},\"sameAs\":[\"https:\/\/azure.microsoft.com\"],\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Announcing server-side encryption with customer-managed keys for Azure Managed Disks | Microsoft Azure Blog","description":"Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/","og_locale":"en_US","og_type":"article","og_title":"Announcing server-side encryption with customer-managed keys for Azure Managed Disks | Microsoft Azure Blog","og_description":"Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.","og_url":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/","og_site_name":"Microsoft Azure Blog","article_publisher":"https:\/\/www.facebook.com\/microsoftazure","article_published_time":"2020-04-02T00:00:00+00:00","article_modified_time":"2025-06-30T05:55:42+00:00","author":"Raman Kumar","twitter_card":"summary_large_image","twitter_creator":"@azure","twitter_site":"@azure","twitter_misc":{"Written by":"Raman Kumar","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#article","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/"},"author":[{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/raman-kumar\/","@type":"Person","@name":"Raman Kumar"}],"headline":"Announcing server-side encryption with customer-managed keys for Azure Managed Disks","datePublished":"2020-04-02T00:00:00+00:00","dateModified":"2025-06-30T05:55:42+00:00","mainEntityOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/"},"wordCount":868,"commentCount":0,"publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"articleSection":["Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/","name":"Announcing server-side encryption with customer-managed keys for Azure Managed Disks | Microsoft Azure Blog","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website"},"datePublished":"2020-04-02T00:00:00+00:00","dateModified":"2025-06-30T05:55:42+00:00","description":"Today, we are announcing the general availability for server-side encryption (SSE) with customer-managed keys (CMK) for Azure Managed Disks. Azure customers have benefited from server-side encryption with platform-managed keys for Managed Disks enabled by default.","breadcrumb":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/announcing-serverside-encryption-with-customermanaged-keys-for-azure-managed-disks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog home","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Announcing server-side encryption with customer-managed keys for Azure Managed Disks"}]},{"@type":"WebSite","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","name":"Microsoft Azure Blog","description":"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.","publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization","name":"Microsoft Azure Blog","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","width":512,"height":512,"caption":"Microsoft Azure Blog"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/microsoftazure","https:\/\/x.com\/azure","https:\/\/www.instagram.com\/microsoftdeveloper\/","https:\/\/www.linkedin.com\/company\/16188386","https:\/\/www.youtube.com\/user\/windowsazure"]},{"@type":"Person","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117","name":"shakir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4","url":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","caption":"shakir"},"sameAs":["https:\/\/azure.microsoft.com"],"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/"}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Azure Blog","distributor_original_site_url":"https:\/\/azure.microsoft.com\/en-us\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/comments?post=716"}],"version-history":[{"count":1,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/716\/revisions"}],"predecessor-version":[{"id":44362,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/716\/revisions\/44362"}],"wp:attachment":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/media?parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/categories?post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tags?post=716"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/audience?post=716"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/content-type?post=716"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/product?post=716"},{"taxonomy":"tech-community","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tech-community?post=716"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/topic?post=716"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/coauthors?post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}