Share via

Securing Key Vault Used by Azure Disk Encryption (ADE)

Hunter French 30 Reputation points
2025-07-23T12:37:59.6066667+00:00

Is it possible/advisable to secure the key vault used by Azure Disk Encryption? Defender wants me to use private link but I am hesitant to enable it, fearing that the VM will lose the ability to pull the key from the vault for proper functionality. Any chance I can disable public access on the vault and just allow the option to "Allow trusted Microsoft services to bypass this firewall" and still have things work?

Virtual network service endpoints for Azure Key Vault | Microsoft Learn

This shows "Azure Disk Encryption volume encryption service" as a trusted service. So much of me wants to move the firewall to "Disable public access" with "Allow trusted Microsoft services to bypass this firewall."

If I do activate it, how can I test to ensure proper functionality with the vault firewall turned on?

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
Accepted answer
  1. Nandamuri Pranay Teja 4,450 Reputation points Microsoft External Staff Moderator
    2025-07-23T14:00:05.5966667+00:00

    Hello Hunter French

    Yes, it is both possible to secure the Key Vault used by Azure Disk Encryption (ADE) by enabling private link or, as you suggested, disabling public access and allowing trusted Microsoft services to bypass the firewall.

    Refer- https://learn.microsoft.com/en-us/azure/key-vault/general/secure-key-vault

    In the Key Vault's networking settings, set the firewall to "Disable public access." Enable the option "Allow trusted Microsoft services to bypass this firewall. Confirm that "Azure Disk Encryption volume encryption service" is included in the trusted services list. This is typically enabled by default when you select the option."

    To ensure the VM can still access the Key Vault after enabling the firewall before applying changes, take a snapshot or backup of the VM and its disks to allow rollback if needed. Deploy a test VM with Azure Disk Encryption enabled, using the same Key Vault configuration.

    • Apply the firewall settings (disable public access, allow trusted services). Trigger a key rotation or re-encryption process on the test VM (e.g., by updating the encryption settings in the Azure portal). Monitor the VM's encryption status in the Azure portal under "Disks"

    After successful testing, apply the changes to the production Key Vault and monitor VM behavior over 24-48 hours, especially during key usage (e.g., VM restarts or disk operations).

    Let me know if you have any question or concern, we are here to help!

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hunter French 30 Reputation points
    2025-07-24T10:25:48.57+00:00

    @Nandamuri Pranay Teja Yes, this is resolved. Thanks!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.