sigs.k8s.io/cluster-api-provider-azure@v1.14.3/docs/book/src/topics/disk-encryption.md

sigs.k8s.io/cluster-api-provider-azure@v1.14.3/docs/book/src/topics/disk-encryption.md (about)

     1  # Disk Encryption
     2  This document describes how to configure different encryption options for disks allocated to VMs provisioned in Azure. 
     3  
     4  ## Azure Disk Storage Server-Side Encryption
     5  Azure Disk Storage Server-Side Encryption (SSE) is also referred to as encryption-at-rest. This encryption option does not encrypt temporary disks or disk caches.
     6  
     7  When enabled, Azure Disk Storage SSE encrypts data stored on Azure managed disks, i.e. OS and data disks. This option can be enabled using customer-managed keys.
     8  
     9  Customer-managed keys must be configured through a Disk Encryption Set (DES) resource. For more information on Azure Disk Storage SSE, please see this [link](https://learn.microsoft.com/azure/virtual-machines/disk-encryption).
    10  
    11  ### Example with OS Disk using DES
    12  When using customer-managed keys, you only need to provide the DES ID within the managedDisk spec. 
    13  > **Note**: The DES must be within the same subscription.
    14  
    15  ```yaml
    16  apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
    17  kind: AzureMachineTemplate
    18  metadata:
    19    name: <machine-template-name>
    20    namespace: <namespace>
    21  spec:
    22    template:
    23      spec:
    24        [...]
    25        osDisk:
    26          managedDisk:
    27            diskEncryptionSet:
    28              id: <disk_encryption_set_id>
    29        [...]
    30  ```
    31  
    32  ## Encryption at Host
    33  This encryption option is a VM option enhancing Azure Disk Storage SSE to ensure any temp disk or disk cache is encrypted at rest.
    34  
    35  For more information on encryption at host, please see this [link](https://learn.microsoft.com/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data).
    36  
    37  ### Example with OS Disk and DES
    38  ```yaml
    39  apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
    40  kind: AzureMachineTemplate
    41  metadata:
    42    name: <machine-template-name>
    43    namespace: <namespace>
    44  spec:
    45    template:
    46      spec:
    47        [...]
    48        osDisk:
    49          managedDisk:
    50            diskEncryptionSet:
    51              id: <disk_encryption_set_id>
    52        securityProfile:
    53          encryptionAtHost: true
    54        [...]
    55  ```