Skip to content

Commit 1d2219f

Browse files
jonathan-vellajonathan-vella
authored
Update virtual-machines-managed-disks-description-customer-managed-keys.md
Updated documentation to include expected VM behavior during key expiry / disable / delete / rotate scenarios.
1 parent 887b715 commit 1d2219f

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

includes/virtual-machines-managed-disks-description-customer-managed-keys.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,10 @@ Managed Disks and the key vault or managed HSM must be in the same region and in
2424

2525
You must grant access to managed disks in your Key Vault or managed HSM to use your keys for encrypting and decrypting the DEK. This allows you full control of your data and keys. You can disable your keys or revoke access to managed disks at any time. You can also audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys.
2626

27-
When you disable or delete your key, any VMs with disks using that key will automatically shut down. After this, the VMs will not be usable unless the key is enabled again or you assign a new key.
27+
When a key is either disabled, deleted, or expired, any VMs with disks using that key will automatically shut down. After this, the VMs will not be usable unless the key is enabled again or you assign a new key.
28+
29+
> [!NOTE]
30+
> It is generally expected that Disk I/O (read or write operations) will start to fail 1 hour after a key is either disabled, deleted, or expired.
2831
2932
The following diagram shows how managed disks use Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:
3033

@@ -46,3 +49,6 @@ To revoke access to customer-managed keys, see [Azure Key Vault PowerShell](/pow
4649
#### Automatic key rotation of customer-managed keys
4750

4851
You can choose to enable automatic key rotation to the latest key version. A disk references a key via its disk encryption set. When you enable automatic rotation for a disk encryption set, the system will automatically update all managed disks, snapshots, and images referencing the disk encryption set to use the new version of the key within one hour. To learn how to enable customer-managed keys with automatic key rotation, see [Set up an Azure Key Vault and DiskEncryptionSet with automatic key rotation](../articles/virtual-machines/windows/disks-enable-customer-managed-keys-powershell.md#set-up-an-azure-key-vault-and-diskencryptionset-optionally-with-automatic-key-rotation).
52+
53+
> [!NOTE]
54+
> Virtual Machines will not be rebooted during automatic key rotation.

0 commit comments

Comments
 (0)