CLI support for Confidential data disk encryption: creating data disk with new security type and confidential DES #32236
Description
Preconditions
- No need to upgrade Python SDK or the Python SDK is ready.
Related command
No response
Resource Provider
N/A
Description of Feature or Work Requested
The Ask: Add support for creating data disk with new security type and confidential DES
Business need:
Currently, while Confidential VMs (CVMs) support confidential encryption for operating system disks, data disks still rely on non-confidential methods, creating a critical gap in Azure’s sovereignty promise for critical customers like G42. This gap affects not only migrated VMs but also newly provisioned CVMs, leaving sensitive customer data on data disks exposed and undermining the value proposition of Azure Confidential Computing (ACC). For G42, whose workloads are largely legacy IaaS applications migrated via Azure Migrate, the inability to confidentially encrypt data disks means that sensitive information remains vulnerable to host access, failing to meet customer expectations for end-to-end confidentiality and regulatory compliance. The absence of CDDE is quickly apparent to auditors and regulators, posing significant reputational and onboarding risks, especially as risk acceptance by customers is volatile and may not persist with changes in personnel or regulatory scrutiny. Without a committed timeline for CDDE, customers question Azure’s commitment to security and may reconsider the value of CVMs, opting instead for alternatives like RBAC and CMK that offer demonstrable control and auditability. To fully deliver on the promise of confidential computing and maintain customer trust, it is essential that confidential data disk encryption be prioritized and brought to General Availability as soon as possible.
Overview:
Confidential encryption binds the disk encryption keys to the virtual machine’s TPM (Trusted Platform Module) and makes the disk content accessible only to the VM. This is currently available for OS disks in GA. We also enabled confidential encryption of temp disks (in public preview) using in-VM symmetric key encryption technology, after the disk is attached to the confidential VM (CVM). Similarly, we need a robust long-term solution to assert that the customer’s data on data disks is always encrypted with the keys bound in the trusted environment, so the data can never be accessed by unauthorized Microsoft operators.
Minimum API Version Required
N/A
Swagger PR link / SDK link
N/A
Request Example
No response
Target Date
N/A
PM Contact
Engineer Contact
Additional context
No response