Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure landing zone
    • Overview
    • Run the ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Browse the deployed resources
    • Deploy an Azure landing zone
      • What is the Azure landing zone?
      • Create an initial ALZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Understanding libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference configs
      • Azure landing zone library
      • Azure landing zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Customer Managed Keys
    • Sovereignty scenarios
    • Key management options
    • 🧪 Azure Key Vault Premium
    • L2: Encryption at rest with CMK
    • 🧪 CMK for Storage
    • 🧪 CMK for VM Disks and AKS
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User and guest IDs
    • Service principals with credentials
    • CI/CD pipelines & OpenID Connect
    • Using AzAPI in Terraform
    • PAL tagging with a service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign landing zone
    • Overview
    • Run the ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign landing zone
      • Create an initial SLZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Understanding libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference configs
      • Sovereign landing zone
      • Sovereign landing zone library with overrides
      • SLZ extended with a country pack
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Customer Managed Keys
  3. L2: Encryption at rest with CMK
L2: Encryption at rest with CMK
L2: Encryption at rest with CMK
Customer Managed Keys
Sovereignty scenarios
Key management options
🧪 Azure Key Vault Premium
L2: Encryption at rest with CMK
🧪 CMK for Storage
🧪 CMK for VM Disks and AKS
  • Introduction
  • Azure Storage
  • Managed Disks and Disk Encryption Sets
  • Virtual Machines and Managed Disks
  • Azure Kubernetes Service
  • Azure Container Instances
  • Azure SQL Managed Instance
  • When to create more than one Disk Encryption Set
  • Broader support
  • Notable exceptions

L2: Encryption at rest with CMK

Customer-Managed Keys can be used to protect data at rest across a wide range of Azure services. Here we cover five common services, the CMK integration pattern for each, and differences between Azure Key Vault Premium and Azure Key Vault Managed HSM.

Table of Contents

  • Introduction
  • Azure Storage
  • Managed Disks and Disk Encryption Sets
  • Virtual Machines and Managed Disks
  • Azure Kubernetes Service
  • Azure Container Instances
  • Azure SQL Managed Instance
  • When to create more than one Disk Encryption Set
  • Broader support
  • Notable exceptions

Introduction

This page covers encryption at rest — protecting stored data so that it cannot be read without access to your key. Each Azure service that supports customer-managed keys wraps its own internal data encryption keys using your CMK in Key Vault. If your key is unavailable, the service cannot decrypt the data.

Encryption in use — protecting data while it is being processed, using Azure Confidential Compute — is a separate topic covered later in this series.

The pattern is the same across services:

  1. Create a key in Azure Key Vault Premium.
  2. Enable a managed identity on the Azure resource.
  3. Grant that identity access to Get, Wrap Key, and Unwrap Key on the key.
  4. Point the resource’s encryption settings at the key URI.

The main difference when using Managed HSM is in step 3. Key Vault uses standard Azure RBAC with built-in roles assigned on the vault scope. Managed HSM uses its own local RBAC model with HSM-specific roles (such as Managed HSM Crypto Service Encryption User) assigned on the HSM or individual key scope, using az keyvault role assignment create --hsm-name rather than az role assignment create. Everything else — the key URI format aside — is the same.

Azure Storage

Azure Storage uses your CMK to protect the storage account’s internal data encryption keys. All blobs, files, queues and tables in the account are encrypted at rest.

You can configure the CMK at account creation or apply it to an existing account. The storage account needs a system-assigned or user-assigned managed identity, which is then given the Key Vault Crypto Service Encryption User RBAC role (or equivalent access policy permissions) on the vault.

Managed HSM is supported. The role to assign is Managed HSM Crypto Service Encryption User, and it is assigned on the HSM or key scope using the HSM local RBAC model.

References

  • Customer-managed keys for Azure Storage encryption
  • Customer-managed keys using Azure Key Vault Managed HSM

Managed Disks and Disk Encryption Sets

For Azure managed disks, CMK encryption is configured through Disk Encryption Sets (DES). A DES is a dedicated Azure resource that wraps the relationship between your key and the managed disks that use it.

The DES has its own managed identity, which needs permission to use the key:

  • Key Vault Premium: assign Key Vault Crypto Service Encryption User.
  • Managed HSM: assign Managed HSM Crypto Service Encryption User using local RBAC on the HSM or key scope.

This model applies to both Virtual Machines and AKS node OS disks.

Virtual Machines and Managed Disks

VM managed disks (OS and data) use the DES model described above. You can attach a DES when creating a VM or update disk encryption settings on existing managed disks to use that DES.

References

  • Server-side encryption of Azure Disk Storage
  • Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks

Azure Kubernetes Service

AKS node OS disk encryption also uses the DES model described above. Create the DES separately, then reference it when creating or updating a node pool.

Host-based encryption extends this further — encrypting the temp disk and OS cache of the node VM itself, not just the managed disks.

AKS inherits Managed HSM support through the same DES configuration.

References

  • Bring your own keys for AKS node OS disk encryption
  • Host-based encryption on AKS nodes

Azure Container Instances

ACI supports CMK encryption for the container group’s OS disk, but the key must come from a standard Key Vault — Managed HSM is not yet supported for ACI.

The configuration is done at deployment time by specifying the key URI and a user-assigned managed identity in the container group resource definition. This is the one service in our scope where Managed HSM is not yet an option.

References

  • Encrypt deployment data with a customer-managed key

Azure SQL Managed Instance

SQL MI uses Transparent Data Encryption (TDE) with a CMK to protect database files and backups at rest. The CMK acts as the TDE protector: SQL MI wraps its database encryption keys using your key in Key Vault.

SQL MI needs a user-assigned managed identity with Key Vault Crypto Service Encryption User access on the key. You can set the TDE protector at instance creation or update it later.

Managed HSM is supported. The managed identity requires the Managed HSM Crypto Service Encryption User role on the HSM, assigned via the HSM local RBAC model. Note that SQL MI requires a user-assigned managed identity (not system-assigned) for both Key Vault and Managed HSM CMK configurations.

References

  • TDE with customer-managed keys at the instance level
  • Azure SQL Managed Instance transparent data encryption with customer-managed key

When to create more than one Disk Encryption Set

Use more than one DES when you need clear separation of keys, ownership, or lifecycle.

  • Data classification boundaries - Isolate sensitive workloads (for example regulated or PII data) from general workloads.
  • Environment isolation - Keep development, test, and production on separate keys and DES resources.
  • Separate key vaults or HSMs - Use distinct DES resources when workloads point to different vault or HSM sources.
  • Access control separation - Split DES resources so each managed identity only has the minimum required key scope.
  • Different rotation policies - Run independent key rotation cadence for workloads with different change-control requirements.
  • Blast radius reduction - Limit operational impact if one key, role assignment, or DES configuration has an issue.

Broader support

Well over 100 Azure services now support CMK integration with Azure Key Vault, and most of them also support Managed HSM.

For a comprehensive list, see Services that support customer-managed keys in Azure Key Vault and Azure Managed HSM.

If you are assessing a service against a digital sovereignty audit checklist, that list is your first reference.

Notable exceptions

Some Azure services include elements of persistent storage but are not represented in the core list above because they use a different storage ownership or encryption model.

  • Azure Container Apps - Supports mounting Azure Files and storing container images and logs through dependent platform services, but it does not expose a single service-level CMK setting equivalent to DES.
  • Azure App Service - Persists application content and diagnostics through platform-managed storage layers; CMK posture depends on the underlying integrated services rather than a unified app-level BYOK switch.
  • Azure Functions (Consumption/Premium) - Can persist state, logs, and artifacts through Storage and Application Insights, so CMK decisions are typically applied on those backing services.
Source: https://www.azurecitadel.com/cmk/at-rest/
Published: 06 Mar 2026
Printed:
🧪 Azure Key Vault Premium L2: Encryption at rest with CMK 🧪 CMK for Storage