🌟 Important Announcement: Retirement of Azure Disk Encryption 🌟

Microsoft Azure to retire Azure Disk Encryption on September 15, 2028 - What you need to know!

I want to share some important news regarding Azure Disk Encryption (ADE), which will be retired on September 15, 2028. While this may seem like a distant date, we encourage you to start planning your transition with us now to ensure a smooth migration.

Not all organisations use this ADE feature due the performance overheads or alternative security controls, but where ADE is in place some consideration should be given to understanding the lifecycle of any virtual machine in scope and decide if workload retirement, or modernisation (re-platform) are alternatives to the suggested VM to VM migration path.

What’s Changing?

Azure Disk Encryption is set to be retired, and we recommend transitioning to Encryption at Host (the closest equivalent to ADE) depending on your required controls or having retired or re-platformed any server in scope by the deadline. This new feature offers:

Broader OS support: Works with any operating system.
Improved performance: Experience faster operations.
Enhanced security: Benefit from stronger security measures.

We also encourage you to explore Confidential Virtual Machine sizes with OS disk encryption for added security in confidential computing!

🚀 Recommended Action

To avoid any service disruptions, please plan your migration by September 15, 2028. You can continue using Azure Disk Encryption without disruption until that date, but workloads running Azure Disk Encryption will fail to unlock after reboots post-retirement.

For resources to aid in your migration and further details, please refer to the link below: Migration Resources

Comparison of Encryption Options

Find more posts tagged with

Azure

Data Security

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

timjeens

I tried to access this link from above: Migration Resources
but it takes me to a single sign on login page.

Anyway, what I was trying to find out was how do I check which of my disks are using ADE?

timjeens

Actually, found the answer.

I ran this:

Get-AzVM | ForEach-Object {
Get-AzVMDiskEncryptionStatus -ResourceGroupName $.ResourceGroupName -VMName $.Name}

Which showed that all my VMs were "NotEncrypted", which means they are protected by the Platform Encryption, and not individually protected which is what ADE does it seems.

So all good.

Thanks,

Tim

Damian Reffin

Apologies for the bad link, steps to take in portal are:

To identify which of your Azure compute instances are using Azure Disk Encryption (ADE), you can follow these steps:

Method 1: Azure Portal

Sign in to the Azure Portal:
- Go to the Azure Portal.
Navigate to Virtual Machines:
- In the left-hand menu, select Virtual Machines.
Check Disk Encryption Status:
- Click on each virtual machine to open its overview page.
- Under the Settings section, look for Disks.
- In the disks section, you will see the disk encryption status.
Use the Security Center:
- Navigate to Microsoft Defender for Cloud.
- Under the Recommendations section, look for alerts about disk encryption status.

Method 2: Azure Resource Graph Explorer

Run the following query:

resources
| where type == "microsoft.compute/disks"
| extend properties = parse_json(properties)
| where properties.encryption["type"] in ("EncryptionAtRestWithPlatformKey", "EncryptionAtRestWithCustomerKey")
| where properties.encryptionSettingsCollection["enabled"] == "true"
| project name, properties