This section explains the steps to enable the Disc Encryption for the Service Engines.
Azure disk encryption is used to secure data hosted on or access through Azure virtual machines. Azure supports the following disk encryption types:
Azure Disk Encryption
Server-side Managed Disk Encryption
Platform-managed keys
Customer-managed keys in customer-controlled hardware
Customer-managed keys
By defaullt, Microsoft-managed keys secure the data stored in a storage account on Azure VM. The customer-managed key provides additional control over the encryption method to the user.
The use of the customer-managed key is supported for server-side disk encryption. A RSA key is imported to the Key Vault on Azure, or a new RSA key is generated to use the customer-managed key for the server-side encryption.
Azure-managed disks use envelope encryption to encrypt and decrypt the data. It encrypts data using an AES 256-based data encryption key (DEK). DEK is protected using customer keys, which is called key encryption key(KEK).
Non-managed disk will be out of support in future.