Merge pull request #100976 from roygara/existingCMK

Existing cmk workflow

Author: Jak-MS

articles/virtual-machines/linux/disk-encryption.md

@@ -3,7 +3,7 @@ title: Server-side encryption of Azure Managed Disks - Azure CLI
 description: Azure Storage protects your data by encrypting it at rest before persisting it to Storage clusters. You can rely on Microsoft-managed keys for the encryption of your managed disks, or you can use customer-managed keys to manage encryption with your own keys.
 author: roygara
 
-ms.date: 01/10/2020
+ms.date: 01/13/2020
 ms.topic: conceptual
 ms.author: rogarana
 ms.service: virtual-machines-linux

articles/virtual-machines/windows/disk-encryption.md

@@ -3,7 +3,7 @@ title: Server-side encryption of Azure Managed Disks - PowerShell
 description: Azure Storage protects your data by encrypting it at rest before persisting it to Storage clusters. You can rely on Microsoft-managed keys for the encryption of your managed disks, or you can use customer-managed keys to manage encryption with your own keys.
 author: roygara
 
-ms.date: 01/10/2020
+ms.date: 01/13/2020
 ms.topic: conceptual
 ms.author: rogarana
 ms.service: virtual-machines-windows

includes/media/virtual-machines-disk-encryption-portal/sse-encrypt-existing-disk-customer-managed-key.png

@@ -5,7 +5,7 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 01/10/2020
+ ms.date: 01/13/2020
  ms.author: rogarana
  ms.custom: include file
 ---
@@ -81,4 +81,28 @@ The VM deployment process is similar to the standard deployment process, the onl
 1. Select your disk encryption set in the **Disk encryption set** drop-down.
 1. Make the remaining selections as you like.
 
-    ![sse-create-vm-select-cmk-encryption-set.png](media/virtual-machines-disk-encryption-portal/sse-create-vm-select-cmk-encryption-set.png)
+    ![sse-create-vm-select-cmk-encryption-set.png](media/virtual-machines-disk-encryption-portal/sse-create-vm-select-cmk-encryption-set.png)
+
+#### Enable on an existing disk
+
+To manage and configure disk encryption on your existing disks, you must use the following link: https://aka.ms/diskencryptionsets. Enabling customer-managed keys on existing disks is not yet available in the global Azure portal.
+
+> [!CAUTION]
+> Enabling disk encryption on any disks attached to a VM will require that you stop the VM.
+
+1. Navigate to a VM which is in the same region as one of your disk encryption sets.
+1. Open the VM and select **Stop**.
+
+    ![sse-stop-VM-to-encrypt-disk.png](media/virtual-machines-disk-encryption-portal/sse-stop-VM-to-encrypt-disk.png)
+
+1. After the VM has finished stopping, select **Disks** and then select the disk you want to encrypt.
+
+    ![sse-existing-disk-select.png](media/virtual-machines-disk-encryption-portal/sse-existing-disk-select.png)
+
+1. Select **Encryption** and select **Encryption at rest with a customer-managed key** and then select your disk encryption set in the drop-down list.
+1. Select **Save**.
+
+    ![sse-encrypt-existing-disk-customer-managed-key.png](media/virtual-machines-disk-encryption-portal/sse-encrypt-existing-disk-customer-managed-key.png)
+
+1. Repeat this process for any other disks attached to the VM you'd like to encrypt.
+1. When your disks finish switching over to customer-managed keys, if there are no there no other attached disks you'd like to encrypt, you may start your VM.