![]() ![]() The format for -target-region-encryption is a comma-separated list of keys for encrypting the OS and data disks. ![]() To specify a disk encryption set for an image version, use az image gallery create-image-version with the -target-region-encryption parameter. Use the extended parameter set and add Set-AzVMOSDisk -Name $($vmName +"_OSDisk") -DiskEncryptionSetId $diskEncryptionSet.Id -CreateOption FromImage to the VM configuration.įor data disks, add the -DiskEncryptionSetId $setID parameter when you use Add-AzVMDataDisk. The syntax is the same as creating a generalized or specialized VM from an image. You can create a virtual machine (VM) from an Azure Compute Gallery and use customer-managed keys to encrypt the disks. GalleryImageDefinitionName $imageDefinitionName ` $eastUS2osDiskImageEncryption = US 2' ReplicaCount=1 StorageAccountType=Standard_LRS Encryption=$encryption2} $osDiskImageEncryption = US' ReplicaCount=1 StorageAccountType=Standard_LRS Encryption=$encryption1} To specify a disk encryption set for an image version, use New-AzGalleryImageVersion with the -TargetRegion parameter: Some of the features like replicating an SSE+CMK image, creating an image from SSE+CMK encrypted disk etc. VM image version source doesn't currently support customer-managed key encryption. When you're using customer-managed keys for encrypting images in an Azure Compute Gallery, these limitations apply:Įncryption key sets must be in the same subscription as your image.Įncryption key sets are regional resources, so each region requires a different encryption key set.Īfter you've used your own keys to encrypt an image, you can't go back to using platform-managed keys for encrypting those images. Double encryption at rest is not currently visible in the public Azure portal unless you use that link. You must use the link to access the Azure portal. To use both platform-managed and customer-managed keys (for double encryption), see the articles about enabling double encryption at rest by using the Azure portal or PowerShell. To use only a customer-managed key, see the articles about enabling customer-managed keys with server-side encryption by using the Azure portal or PowerShell. This article requires that you already have a disk encryption set in each region where you want to replicate your image: You can either import your RSA keys to your key vault or generate new RSA keys in Azure Key Vault. Server-side encryption through customer-managed keys uses Azure Key Vault. ![]() If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all disks in your images. You can also use both of these features together for doubled encryption. You can rely on platform-managed keys for the encryption of your images, or use your own keys. For more information about the cryptographic modules underlying Azure managed disks, see Cryptography API: Next Generation. Server-side encryption is also FIPS 140-2 compliant. These images are automatically encrypted through server-side 256-bit encryption AES encryption. Images in an Azure Compute Gallery (formerly known as Shared Image Gallery) are stored as snapshots. Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |