You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/devtest-labs/encrypt-disks-customer-managed-keys.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to manage disk encryption by using customer-managed keys
4
4
ms.topic: how-to
5
5
ms.author: rosemalcolm
6
6
author: RoseHJM
7
-
ms.date: 07/11/2025
7
+
ms.date: 07/15/2025
8
8
ms.custom: subject-rbac-steps, UpdateFrequency2
9
9
10
10
#customer intent: As a lab owner, I want to use customer-managed keys to manage disk encryption so that I can manage access control with more flexibility.
@@ -28,10 +28,10 @@ In Azure DevTest Labs, all OS disks and data disks created in a lab are encrypte
28
28
- The disk encryption set needs to be in same region and subscription as your lab.
29
29
- The lab owner needs to have at least reader-level access to the disk encryption set that will be used to encrypt lab disks.
30
30
31
-
- For labs created before August 1, 2020, the lab owner needs to ensure that lab system-assigned identity is enabled. To do so, the lab owner can go to the lab, select **Configuration and policies**, select **Identity (Preview)** in the left menu, change the system-assigned identity **Status** to **On**, and then select **Save**. For labs created after August 1, 2020, the system-assigned identity is enabled by default.
31
+
- For labs created before August 1, 2020, the lab owner needs to ensure that lab system-assigned identity is enabled. To do so, the lab owner can go to the lab, select **Configuration and policies**, select **Identity** in the left menu, change the system-assigned identity **Status** to **On**, and then select **Save**. For labs created after August 1, 2020, the system-assigned identity is enabled by default.
32
32
33
-
> [!div class="mx-imgBorder"]
34
-
> :::image type="content" source="./media/encrypt-disks-customer-managed-keys/managed-keys.png" alt-text="Screenshot that shows the steps for enabling system-assigned identity." lightbox="./media/encrypt-disks-customer-managed-keys/managed-keys.png":::
33
+
34
+
:::image type="content" source="./media/encrypt-disks-customer-managed-keys/managed-keys.png" alt-text="Screenshot that shows the steps for enabling system-assigned identity." lightbox="./media/encrypt-disks-customer-managed-keys/managed-keys.png":::
35
35
36
36
- For the lab to handle encryption for all lab disks, the lab owner needs to explicitly grant the lab's system-assigned identity reader role on the disk encryption set and the virtual machine contributor role on the underlying Azure subscription. The lab owner can do that by completing the following steps:
37
37
@@ -66,18 +66,18 @@ In Azure DevTest Labs, all OS disks and data disks created in a lab are encrypte
66
66
67
67
1. Go to a lab virtual machine that you created after enabling disk encryption with a customer-managed key on the lab.
68
68
69
-
> [!div class="mx-imgBorder"]
70
-
> :::image type="content" source="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png" alt-text="Screenshot that shows a VM with disk encryption enabled." lightbox="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png":::
69
+
70
+
:::image type="content" source="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png" alt-text="Screenshot that shows a VM with disk encryption enabled." lightbox="./media/encrypt-disks-customer-managed-keys/enabled-encryption-vm.png":::
71
71
72
72
1. Select the resource group of the VM and then select the OS disk.
73
73
74
-
> [!div class="mx-imgBorder"]
75
-
> :::image type="content" source="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png" alt-text="Screenshot that shows the VM in its resource group." lightbox="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png":::
74
+
75
+
:::image type="content" source="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png" alt-text="Screenshot that shows the VM in its resource group." lightbox="./media/encrypt-disks-customer-managed-keys/vm-resource-group.png":::
76
76
77
77
1. In the left pane, under **Settings**, select **Encryption**. Validate that encryption is set to customer-managed key with the disk encryption set that you selected.
78
78
79
-
> [!div class="mx-imgBorder"]
80
-
> :::image type="content" source="./media/encrypt-disks-customer-managed-keys/validate-encryption.png" alt-text="Screenshot that shows the encryption type of the VM.":::
79
+
80
+
:::image type="content" source="./media/encrypt-disks-customer-managed-keys/validate-encryption.png" alt-text="Screenshot that shows the encryption type of the VM.":::
0 commit comments