Azure Managed Disks supports encryption with customer keys
In a public preview, Microsoft announced the server-side encryption of Azure Managed Disks with customer-managed keys. There is no doubt that Azure Managed Disks are encrypted by default, but server-side encryption uses Platform Managed Keys; encryption keys managed by Microsoft. A fact that is not without its problems for customers with their own compliance requirements. With this new service, customers gain significantly more control over their encryption keys, and thus over the hard disk encryption of their virtual workloads with Bitlocker for Windows and DM-Crypt for Linux.
Customer key management is performed in Azure Key Vault, a highly available, secure storage for RSA cryptographic keys protected by hardware security modules (HSMs). The crypto keys can either be imported from a customer's own HSM into an Azure Key Vault or generated directly in the Azure Key Vault. Encryption in Azure Storage is performed using an Advanced Encryption Standard (AES) 256-based data encryption key, which in turn is protected with the customer key stored in the Azure Key Vault. To control access to keys in the Azure Key Vault, Azure uses Managed Disk identities from the Azure Active Directory, and key usage is monitored through Azure Key Vault.
Azure disk encryption with customer keys can be used for standard hard drives, standard SSD and premium SSD managed hard drives. However, the preview is currently only available in the Azure Region West Central US; planning for additional Azure regions is ongoing.
Azure Managed Disks are managed disks in the form of virtual disks, which are random I/O storage objects that are an abstraction of page blobs, blob containers, and Azure storage accounts.