Merge pull request #224949 from roygara/crossUpdates

JamesJBarnett · web-flow · commit 4d1642de40e3 · 2023-02-21T20:15:00.000-07:00
Cross disk encryption set restrictions updates
diff --git a/articles/virtual-machines/disk-encryption.md b/articles/virtual-machines/disk-encryption.md
@@ -41,8 +41,6 @@ By default, managed disks use platform-managed encryption keys. All managed disk
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you cannot disable it.
-    If you need to work around this, you must copy all the data using either the [Azure PowerShell module](windows/disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk) or the [Azure CLI](linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk), to an entirely different managed disk that isn't using customer-managed keys.
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
 #### Supported regions
diff --git a/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md b/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md
@@ -3,7 +3,7 @@ title: Azure portal - Enable customer-managed keys with SSE - managed disks
 description: Enable customer-managed keys on your managed disks through the Azure portal.
 author: roygara
 
-ms.date: 01/19/2023
+ms.date: 02/22/2023
 ms.topic: how-to
 ms.author: rogarana
 ms.service: storage
@@ -20,13 +20,6 @@ Azure Disk Storage allows you to manage your own keys when using server-side enc
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you can't disable it.
-    If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys:
-
-    - For Linux: [Copy a managed disk](./linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk)
-
-    - For Windows: [Copy a managed disk](./windows/disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk)
-
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
 The following sections cover how to enable and use customer-managed keys for managed disks:
diff --git a/articles/virtual-machines/image-version-encryption.md b/articles/virtual-machines/image-version-encryption.md
@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: gallery
 ms.workload: infrastructure-services
 ms.topic: how-to
-ms.date: 1/11/2023
+ms.date: 02/22/2023
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
 ---
@@ -40,9 +40,7 @@ When you're using customer-managed keys for encrypting images in an Azure Comput
 
 - Encryption key sets are regional resources, so each region requires a different encryption key set.
 
-- You can't copy or share images that use customer-managed keys. 
-
-- After you've used your own keys to encrypt a disk or image, you can't go back to using platform-managed keys for encrypting those disks or images.
+- After you've used your own keys to encrypt an image, you can't go back to using platform-managed keys for encrypting those images.
 
 - VM image version source doesn't currently support customer-managed key encryption.
 
diff --git a/articles/virtual-machines/linux/disks-enable-customer-managed-keys-cli.md b/articles/virtual-machines/linux/disks-enable-customer-managed-keys-cli.md
@@ -2,7 +2,7 @@
 title: Azure CLI - Enable customer-managed keys with SSE - managed disks
 description: Enable customer-managed keys on your managed disks with the Azure CLI.
 author: roygara
-ms.date: 03/15/2022
+ms.date: 02/22/2023
 ms.topic: how-to
 ms.author: rogarana
 ms.service: storage
@@ -20,8 +20,6 @@ Azure Disk Storage allows you to manage your own keys when using server-side enc
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you cannot disable it.
-    If you need to work around this, you must [copy all the data](disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk) to an entirely different managed disk that isn't using customer-managed keys.
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
 ## Create resources
diff --git a/articles/virtual-machines/scripts/copy-managed-disks-to-same-or-different-subscription.md b/articles/virtual-machines/scripts/copy-managed-disks-to-same-or-different-subscription.md
@@ -9,14 +9,14 @@ ms.subservice: disks
 ms.devlang: azurecli
 ms.topic: sample
 ms.workload: infrastructure
-ms.date: 02/23/2022
+ms.date: 02/22/2023
 ms.author: ramankum
 ms.custom: mvc
 ---
 
 # Copy managed disks to same or different subscription with CLI
 
-This script copies a managed disk to same or different subscription but in the same region. The copy works only when the subscriptions are part of the same Azure AD tenant.
+This article contains two scripts. The first script copies a managed disk that's using platform-managed keys to same or different subscription but in the same region. The second script copies a managed disk that's using customer-managed keys to the same or a different subscription in the same region. Either copy only works when the subscriptions are part of the same Azure AD tenant.
 
 [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
 
@@ -26,10 +26,54 @@ This script copies a managed disk to same or different subscription but in the s
 
 [!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-### Run the script
+### Disks with platform-managed keys
 
 :::code language="azurecli" source="~/azure_cli_scripts/virtual-machine/copy-managed-disks-to-same-or-different-subscription/copy-managed-disks-to-same-or-different-subscription.sh" id="FullScript":::
 
+### Disks with customer-managed keys
+
+```azurecli
+#Provide the subscription Id of the subscription where managed disk exists
+sourceSubscriptionId="<subscriptionId>"
+
+#Provide the name of your resource group where managed disk exists
+sourceResourceGroupName=mySourceResourceGroupName
+
+#Provide the name of the managed disk
+managedDiskName=myDiskName
+
+#Provide the name of the target disk encryption set
+diskEncryptionSetName=myName
+
+#Provide the target disk encryption set resource group
+diskEncryptionResourceGroup=myGroup
+
+#Set the context to the subscription Id where managed disk exists
+az account set --subscription $sourceSubscriptionId
+
+#Get the managed disk Id 
+managedDiskId=$(az disk show --name $managedDiskName --resource-group $sourceResourceGroupName --query [id] -o tsv)
+
+#If managedDiskId is blank then it means that managed disk does not exist.
+echo 'source managed disk Id is: ' $managedDiskId
+
+#Get the disk encryption set ID
+diskEncryptionSetId=$(az disk-encryption-set show --name $diskEncryptionSetName --resource-group $diskEncryptionResourceGroup)
+
+#Provide the subscription Id of the subscription where managed disk will be copied to
+targetSubscriptionId=6492b1f7-f219-446b-b509-314e17e1efb0
+
+#Name of the resource group where managed disk will be copied to
+targetResourceGroupName=mytargetResourceGroupName
+
+#Set the context to the subscription Id where managed disk will be copied to
+az account set --subscription $targetSubscriptionId
+
+#Copy managed disk to different subscription using managed disk Id and disk encryption set ID
+#Add --location parameter to change the location
+az disk create -g $targetResourceGroupName -n $managedDiskName --source $managedDiskId --disk-encryption-set $diskEncrpytonSetId
+```
+
 ## Clean up resources
 
 Run the following command to remove the resource group, VM, and all related resources.
@@ -53,4 +97,4 @@ This script uses following commands to create a new managed disk in the target s
 
 For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).
 
-Additional virtual machine and managed disks CLI script samples can be found in the [Azure Linux VM documentation](../linux/cli-samples.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
+More virtual machine and managed disks CLI script samples can be found in the [Azure Linux VM documentation](../linux/cli-samples.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
diff --git a/articles/virtual-machines/scripts/copy-snapshot-to-same-or-different-subscription.md b/articles/virtual-machines/scripts/copy-snapshot-to-same-or-different-subscription.md
@@ -8,14 +8,14 @@ ms.service: storage
 ms.subservice: disks
 ms.topic: sample
 ms.workload: infrastructure
-ms.date: 02/23/2022
+ms.date: 02/22/2023
 ms.author: ramankum
 ms.custom: mvc
 ---
 
 # Copy snapshot of a managed disk to same or different subscription with CLI
 
-This script copies a snapshot of a managed disk to same or different subscription. Use this script for the following scenarios:
+This article contains two scripts. The first script copies a snapshot of a managed disk that was using platform-managed keys to the same or a different subscription. The second script copies a snapshot of a managed disk that was using customer-managed keys to the same or a different subscription. These scripts can be used for the following scenarios:
 
 - Migrate a snapshot in Premium storage (Premium_LRS) to Standard storage (Standard_LRS or Standard_ZRS) to reduce your cost.
 - Migrate a snapshot from locally redundant storage (Premium_LRS, Standard_LRS) to zone redundant storage (Standard_ZRS) to benefit from the higher reliability of ZRS storage.
@@ -32,10 +32,58 @@ This script copies a snapshot of a managed disk to same or different subscriptio
 
 [!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-### Run the script
+### Disks with platform-managed keys
 
 :::code language="azurecli" source="~/azure_cli_scripts/virtual-machine/copy-snapshot-to-same-or-different-subscription/copy-snapshot-to-same-or-different-subscription.sh" id="FullScript":::
 
+### Disks with customer-managed keys
+
+```azurecli
+#Provide the subscription Id of the subscription where snapshot exists
+sourceSubscriptionId="<subscriptionId>"
+
+#Provide the name of your resource group where snapshot exists
+sourceResourceGroupName=mySourceResourceGroupName
+
+#Provide the name of the target disk encryption set
+diskEncryptionSetName=myName
+
+#Provide the target disk encryption set resource group
+diskEncryptionResourceGroup=myGroup
+
+#Provide the name of the snapshot
+snapshotName=mySnapshotName
+
+#Set the context to the subscription Id where snapshot exists
+az account set --subscription $sourceSubscriptionId
+
+#Get the snapshot Id 
+snapshotId=$(az snapshot show --name $snapshotName --resource-group $sourceResourceGroupName --query [id] -o tsv)
+
+#If snapshotId is blank then it means that snapshot does not exist.
+echo 'source snapshot Id is: ' $snapshotId
+
+#Get the disk encryption set ID
+diskEncryptionSetId=$(az disk-encryption-set show --name $diskEncryptionSetName --resource-group $diskEncryptionResourceGroup)
+
+#Provide the subscription Id of the subscription where snapshot will be copied to
+#If snapshot is copied to the same subscription then you can skip this step
+targetSubscriptionId=6492b1f7-f219-446b-b509-314e17e1efb0
+
+#Name of the resource group where snapshot will be copied to
+targetResourceGroupName=mytargetResourceGroupName
+
+#Set the context to the subscription Id where snapshot will be copied to
+#If snapshot is copied to the same subscription then you can skip this step
+az account set --subscription $targetSubscriptionId
+
+#Copy snapshot to different subscription using the snapshot Id
+#We recommend you to store your snapshots in Standard storage to reduce cost. Please use Standard_ZRS in regions where zone redundant storage (ZRS) is available, otherwise use Standard_LRS
+#Please check out the availability of ZRS here: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs#support-coverage-and-regional-availability
+#To change the region, use the --location parameter
+az snapshot create -g $targetResourceGroupName -n $snapshotName --source $snapshotId --disk-encryption-set $diskEncryptionSetID --sku Standard_LRS --encryption-type EncryptionAtRestWithCustomerKey
+```
+
 ## Clean up resources
 
 Run the following command to remove the resource group, VM, and all related resources.
@@ -59,4 +107,4 @@ This script uses following commands to create a snapshot in the target subscript
 
 For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).
 
-Additional virtual machine and managed disks CLI script samples can be found in the [Azure Linux VM documentation](../linux/cli-samples.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
+More virtual machine and managed disks CLI script samples can be found in the [Azure Linux VM documentation](../linux/cli-samples.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
diff --git a/articles/virtual-machines/scripts/create-managed-disk-from-snapshot.md b/articles/virtual-machines/scripts/create-managed-disk-from-snapshot.md
@@ -15,14 +15,14 @@ ms.devlang: azurecli
 ms.topic: sample
 ms.tgt_pltfrm: vm-linux
 ms.workload: infrastructure
-ms.date: 02/23/2022
+ms.date: 02/22/2023
 ms.author: ramankum
 ms.custom: mvc
 ---
 
 # Create a managed disk from a snapshot with CLI (Linux)
 
-This script creates a managed disk from a snapshot. Use it to restore a virtual machine from snapshots of OS and data disks. Create OS and data managed disks from respective snapshots and then create a new virtual machine by attaching managed disks. You can also restore data disks of an existing VM by attaching data disks created from snapshots.
+This article contains two scripts for creating a managed disk from a snapshot. The first script is for a managed disk with platform-managed keys and the second script is for a managed disk with customer-managed keys. Use these scripts to restore a virtual machine from snapshots of OS and data disks. Create OS and data managed disks from respective snapshots and then create a new virtual machine by attaching managed disks. You can also restore data disks of an existing VM by attaching data disks created from snapshots.
 
 [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
 
@@ -32,10 +32,52 @@ This script creates a managed disk from a snapshot. Use it to restore a virtual
 
 [!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-### Run the script
+### Disks with platform-managed keys
 
 :::code language="azurecli" source="~/azure_cli_scripts/virtual-machine/create-managed-disks-from-snapshot/create-managed-disks-from-snapshot.sh" id="FullScript":::
 
+### Disks with customer-managed keys
+
+```azurecli
+#Provide the subscription Id of the subscription where you want to create Managed Disks
+subscriptionId="<subscriptionId>"
+
+#Provide the name of your resource group
+resourceGroupName=myResourceGroupName
+
+#Provide the name of the snapshot that will be used to create Managed Disks
+snapshotName=mySnapshotName
+
+#Provide the name of the new Managed Disks that will be create
+diskName=myDiskName
+
+#Provide the size of the disks in GB. It should be greater than the VHD file size.
+diskSize=128
+
+#Provide the storage type for Managed Disk. Premium_LRS or Standard_LRS.
+storageType=Premium_LRS
+
+#Provide the name of the target disk encryption set
+diskEncryptionSetName=myName
+
+#Provide the target disk encryption set resource group
+diskEncryptionResourceGroup=myGroup
+
+#Set the context to the subscription Id where Managed Disk will be created
+az account set --subscription $subscriptionId
+
+#Get the snapshot Id 
+snapshotId=$(az snapshot show --name $snapshotName --resource-group $resourceGroupName --query [id] -o tsv)
+
+#Get the disk encryption set ID
+diskEncryptionSetId=$(az disk-encryption-set show --name $diskEncryptionSetName --resource-group $diskEncryptionResourceGroup)
+
+#Create a new Managed Disks using the snapshot Id
+#Note that managed disk will be created in the same location as the snapshot
+#To change the location, add the --location parameter
+az disk create -g $resourceGroupName -n $diskName --source $snapshotId --disk-encryption-set $diskEncryptionSetID --location eastus2euap
+```
+
 ## Clean up resources
 
 Run the following command to remove the resource group, VM, and all related resources.
@@ -59,4 +101,4 @@ This script uses following commands to create a managed disk from a snapshot. Ea
 
 For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).
 
-Additional virtual machine and managed disks CLI script samples can be found in the [Azure Linux VM documentation](../linux/cli-samples.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
+More virtual machine and managed disks CLI script samples can be found in the [Azure Linux VM documentation](../linux/cli-samples.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
diff --git a/articles/virtual-machines/windows/disks-enable-customer-managed-keys-powershell.md b/articles/virtual-machines/windows/disks-enable-customer-managed-keys-powershell.md
@@ -2,7 +2,7 @@
 title: Azure PowerShell - Enable customer-managed keys with SSE - managed disks
 description: Enable server-side encryption using customer-managed keys on your managed disks with Azure PowerShell.
 author: roygara
-ms.date: 11/02/2021
+ms.date: 02/22/2023
 ms.topic: how-to
 ms.author: rogarana
 ms.service: storage
@@ -20,8 +20,6 @@ Azure Disk Storage allows you to manage your own keys when using server-side enc
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you cannot disable it.
-    If you need to work around this, you must [copy all the data](disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk) to an entirely different managed disk that isn't using customer-managed keys.
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
 ## Set up an Azure Key Vault and DiskEncryptionSet optionally with automatic key rotation
diff --git a/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md b/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md
@@ -5,18 +5,19 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 10/12/2022
+ ms.date: 02/21/2023
  ms.author: rogarana
  ms.custom: include file
 ---
+- If this feature is enabled for a disk with incremental snapshots, it can't be disabled on that disk or its snapshots.
+    To work around this, copy all the data to an entirely different managed disk that isn't using customer-managed keys. You can do that with either the [Azure CLI](../articles/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk) or the [Azure PowerShell module](../articles/virtual-machines/windows/disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk).
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
-- Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. Your disks and their images must be in the same subscription, the keys used to encrypt your disks can be in a different subscription.
-- Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
+- For Ultra Disks only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
     - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Azure Active Directory tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).
 - Disks encrypted with customer-managed keys can only move to another resource group if the VM they are attached to is deallocated.
-- Disks, snapshots, and images encrypted with customer-managed keys cannot be moved between subscriptions.
-- Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys.
+- Disks, snapshots, and images encrypted with customer-managed keys can't be moved between subscriptions.
+- Managed disks currently or previously encrypted using Azure Disk Encryption can't be encrypted using customer-managed keys.
 - Can only create up to 5000 disk encryption sets per region per subscription.
 - For information about using customer-managed keys with shared image galleries, see [Preview: Use customer-managed keys for encrypting images](../articles/virtual-machines/image-version-encryption.md).
