This section explains the steps to enable the Disc Encryption for the Service Engines.

Azure disk encryption is used to secure data hosted on or access through Azure virtual machines. Azure supports the following disk encryption types:

  • Azure Disk Encryption

  • Server-side Managed Disk Encryption

    • Platform-managed keys

    • Customer-managed keys in customer-controlled hardware

    • Customer-managed keys

By defaullt, Microsoft-managed keys secure the data stored in a storage account on Azure VM. The customer-managed key provides additional control over the encryption method to the user.

Starting withNSX Advanced Load Balancer release 20.1, the use of the customer-managed key is supported for server-side disk encryption. A RSA key is imported to the Key Vault on Azure, or a new RSA key is generated to use the customer-managed key for the server-side encryption.

Azure-managed disks use envelope encryption to encrypt and decrypt the data. It encrypts data using an AES 256-based data encryption key (DEK). DEK is protected using customer keys, which is called key encryption key(KEK).