Azure disk encryption at host

You can create an MCS machine catalog with encryption at host capability. Currently, MCS supports only the machine profile workflow for this feature. You can use a VM or a template spec as an input for a machine profile.

This encryption method does not encrypt the data through the Azure storage. The server hosting the VM encrypts the data and then the encrypted data flows through the Azure storage server. Hence, this method of encryption encrypts data end to end.

Limitations

Azure disk encryption at the host is:

  • Not supported for all Azure machine sizes
  • Incompatible with Azure disk encryption

Create a machine catalog with encryption at host capability

To create a machine catalog with encryption at host capability

  1. Check if the subscription has the encryption at host feature enabled or not. To do this, see https://learn.microsoft.com/en-us/rest/api/resources/features/get?tabs=HTTP/. If not enabled, you must enable the feature for the subscription. For information on enabling the feature for your subscription, see https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell#prerequisites/.
  2. Check if a particular Azure VM size supports encryption at host or not. To do this, in a PowerShell window, run one of the following:

    PS XDHyp:\Connections\<your connection>\east us.region\serviceoffering.folder>
    <!--NeedCopy-->
    
    PS XDHyp:\HostingUnits\<your hosting unit>\serviceoffering.folder>
    <!--NeedCopy-->
    
  3. Create a VM or a template spec, as an input for machine profile, in the Azure portal with encryption at host enabled.

    • If you want to create a VM, select a VM size that supports encryption at host. After you create the VM, the VM property Encryption at host is enabled.
    • If you want to use a template spec, assign the parameter Encryption at Host as true inside securityProfile.
  4. Create an MCS machine catalog with machine profile workflow by either selecting a VM or a template spec.

    • OS disk / Data Disk: Gets encrypted through Customer-managed key and Platform-managed key
    • Ephemeral OS Disk: Gets encrypted only through Platform-managed key
    • Cache Disk: Gets encrypted through Customer-managed key and Platform-managed key

    You can create the machine catalog using the Full Configuration interface or running PowerShell commands.

Retrieve encryption at host information from a machine profile

You can retrieve the encryption at host information from a machine profile when you run the PowerShell command with the AdditionalData parameter. If EncryptionAtHost parameter is True, it indicates that the encryption at host is enabled for the machine profile.

For example: When the machine profile input is a VM, run the following command:

(get-item XDHyp:\HostingUnits\myAzureNetwork\machineprofile.folder\abc.resourcegroup\def.vm).AdditionalData
<!--NeedCopy-->

For example: When the machine profile input is a template spec, run the following command:

(get-item XDHyp:\HostingUnits\myAzureNetwork\machineprofile.folder\abc.resourcegroup\def_templatespec.templatespec\EncryptionAtHost.templatespecversion).AdditionalData
<!--NeedCopy-->
Azure disk encryption at host