How to change from VM with ADE to VM to Encryption at host?

Question

Hi everyone,

I would like to know the proper steps to change from VM with ADE to Encryption at host.

Thank you

Answer 1

Hello @Handinata Tanudjaja

To convert an Azure VM with Azure Disk Encryption (ADE) to using "Encryption at Host," you need to first detach the existing encrypted disks from the VM, then create a new VM with the "Encryption at Host" option enabled, and finally attach the previously detached encrypted disks to the new VM; essentially, you're creating a new VM with the desired encryption method and migrating the existing disks to it, as you cannot directly change an existing VM's encryption method from ADE to Encryption at Host. 

Key steps:

• Access Azure Portal:

Log in to the Azure portal and navigate to your virtual machine. 

• Detach Disks:
  • Go to the VM's "Disks" section. 
    • Select each disk you want to migrate and choose the option to "Detach". 
    • Create New VM with Encryption at Host:
      • Initiate the creation of a new virtual machine. 
        • When configuring the disks, select "Encryption at Host" under the encryption settings. 
          • Choose the appropriate key management option (customer-managed keys or platform-managed keys). 
          • Attach Detached Disks:
            • Once the new VM is deployed, navigate to its "Disks" section. 
              • Select "Attach existing disk" and choose the previously detached encrypted disks. 

Important Considerations:

• Data Migration: If you have sensitive data on the existing disks, ensure you have a proper backup strategy before detaching and migrating them. 
• VM Downtime: Converting to "Encryption at Host" will require a VM restart, resulting in temporary downtime. 
• Key Management: Be mindful of the key management strategy you choose when enabling "Encryption at Host". To convert an Azure VM with Azure Disk Encryption (ADE) to using "Encryption at Host," you need to first detach the existing encrypted disks from the VM, then create a new VM with the "Encryption at Host" option enabled, and finally attach the previously detached encrypted disks to the new VM; essentially, you're creating a new VM with the desired encryption method and migrating the existing disks to it, as you cannot directly change an existing VM's encryption method from ADE to Encryption at Host.  Key steps:
  • Access Azure Portal: Log in to the Azure portal and navigate to your virtual machine. 
  • Detach Disks:
    • Go to the VM's "Disks" section. 
    • Select each disk you want to migrate and choose the option to "Detach". 
  • Create New VM with Encryption at Host:
    • Initiate the creation of a new virtual machine. 
    • When configuring the disks, select "Encryption at Host" under the encryption settings. 
    • Choose the appropriate key management option (customer-managed keys or platform-managed keys). 
  • Attach Detached Disks:
    • Once the new VM is deployed, navigate to its "Disks" section. 
    • Select "Attach existing disk" and choose the previously detached encrypted disks. 
  Important Considerations:
  • Data Migration: If you have sensitive data on the existing disks, ensure you have a proper backup strategy before detaching and migrating them. 
  • VM Downtime: Converting to "Encryption at Host" will require a VM restart, resulting in temporary downtime. 
  • Key Management: Be mindful of the key management strategy you choose when enabling "Encryption at Host". 

---

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

Answer 2

Hello,

I made this guide for you I hope you can archive what you are looking for;

links : https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell

https://www.reddit.com/r/AZURE/comments/1ci7by7/windows_virtual_machines_should_enable_azure_disk/

1. Ensure Pre‑Requisites and Check Support

Before you proceed, verify the following:

Supported VM Size & Region: Not every VM size supports Encryption at host. Check the Azure documentation for the latest list of supported sizes and regions.

Permissions: You must have sufficient permissions (typically the Contributor role or higher on both the VM and its disk resources) to make encryption changes.

Backup: Backup your VM data or create a snapshot of the disks just in case you need to revert to your previous state.

2. Remove Azure Disk Encryption (ADE)

Encryption at host cannot be enabled while the disks are encrypted with ADE. Therefore, you must first decrypt the VM’s OS and data disks.

Steps to Remove ADE:

Identify the Encryption Status:

In the Azure Portal, navigate to your VM and check its “Disks” blade (or the “Encryption” section if available) to confirm that ADE is enabled.

Run the Decryption Process:

  **Using PowerShell:** If you set up ADE using PowerShell (such as with the `Set-AzVMDiskEncryptionExtension` cmdlet), you now need to disable it. For example:
  
  powershell
  
  ```powershell
  Disable-AzVMDiskEncryption `

-ResourceGroupName <YourResourceGroup> ` -VMName <YourVMName> ```

  Monitor the progress. (Depending on your configuration, the command might vary. Microsoft’s documentation on removing Azure Disk Encryption can be a useful guide.)
  
     **Using the Azure CLI:** Similarly, if you use CLI, there’s a command to disable disk encryption (check the current CLI reference as the procedures may evolve).
     
     **Wait for Complete Decryption:**
     
        This operation can take some time. Verify in the portal that your disks are now in an unencrypted state.
        
           Confirm that any ADE-related extensions have been removed.
           

3. Enable Encryption at Host

With your VM’s disks now decrypted and free of ADE, you can enable Encryption at host. This property is configured at the VM level.

Two Approaches:

A. Live Update (If Supported)

If your VM supports an in-place update, you might be able to update its encryption configuration by modifying its properties.

Stop the VM (If Required): Sometimes a stop–deallocate–start cycle is necessary to register configuration changes.

Update the VM Configuration:

Using Azure CLI: You can update the VM’s encryption profile by running a command like:

bash

   az vm update \
  --resource-group <YourResourceGroup> \
  --name <YourVMName> \
  --set encryptionProfile.encryptionAtHost=true

This command sets the property that tells Azure to enable host-level encryption.

Verify the Change:

  Once updated, check the VM’s properties in the Azure Portal. The “Encryption at host” property should now indicate that it is enabled.
  

B. Redeploy the VM (If Live Update Isn’t Available)

Some VM configurations may require a rebuild:

1. Detach the Disks:
   • If necessary, detach the OS and data disks after decryption.
2. Create a New VM with Encryption at Host Enabled:
   • Using an ARM template, the Azure CLI, or the Azure Portal, create a new VM.
   • When configuring the new VM, set the “Encryption at host” property to true. For example, in an ARM template the property might be under the VM’s "securityProfile": { "encryptionAtHost": true }.
3. Attach the Existing Disks:
   • Reattach your previously decrypted OS and/or data disks to this new VM.
4. Test the New Deployment:
   • Once the new VM is up and running, verify that everything is working as expected and that the encryption at host property is applied.
     1. Ensure Pre‑Requisites and Check Support
     Before you proceed, verify the following:
   • Supported VM Size & Region: Not every VM size supports Encryption at host. Check the Azure documentation for the latest list of supported sizes and regions.
   • Permissions: You must have sufficient permissions (typically the Contributor role or higher on both the VM and its disk resources) to make encryption changes.
   • Backup: Backup your VM data or create a snapshot of the disks just in case you need to revert to your previous state.
   2. Remove Azure Disk Encryption (ADE)
   Encryption at host cannot be enabled while the disks are encrypted with ADE. Therefore, you must first decrypt the VM’s OS and data disks. Steps to Remove ADE:
   1. Identify the Encryption Status:
      • In the Azure Portal, navigate to your VM and check its “Disks” blade (or the “Encryption” section if available) to confirm that ADE is enabled.
   2. Run the Decryption Process:
      • Using PowerShell: If you set up ADE using PowerShell (such as with the Set-AzVMDiskEncryptionExtension cmdlet), you now need to disable it. For example: powershell

                   Disable-AzVMDiskEncryption `
        

-ResourceGroupName <YourResourceGroup> ` -VMName <YourVMName> ```

       Monitor the progress. (Depending on your configuration, the command might vary. Microsoft’s documentation on removing Azure Disk Encryption can be a useful guide.)
       
     - **Using the Azure CLI:**   Similarly, if you use CLI, there’s a command to disable disk encryption (check the current CLI reference as the procedures may evolve).
     
1. **Wait for Complete Decryption:**

     - This operation can take some time. Verify in the portal that your disks are now in an unencrypted state.
     
     - Confirm that any ADE-related extensions have been removed.
     
 3. Enable Encryption at Host
 
 With your VM’s disks now decrypted and free of ADE, you can enable Encryption at host. This property is configured at the VM level.
 
 **Two Approaches:**
 
 **A. Live Update (If Supported)**
 
 If your VM supports an in-place update, you might be able to update its encryption configuration by modifying its properties.
 
1. **Stop the VM (If Required):**   Sometimes a stop–deallocate–start cycle is necessary to register configuration changes.

1. **Update the VM Configuration:**

     - **Using Azure CLI:**   You can update the VM’s encryption profile by running a command like:
     
       bash
       
       ```dockerfile
       az vm update \

--resource-group <YourResourceGroup>
--name <YourVMName>
--set encryptionProfile.encryptionAtHost=true ```

       This command sets the property that tells Azure to enable host-level encryption.
       
1. **Verify the Change:**

     - Once updated, check the VM’s properties in the Azure Portal. The “Encryption at host” property should now indicate that it is enabled.
     
 **B. Redeploy the VM (If Live Update Isn’t Available)**
 
 Some VM configurations may require a rebuild:
 
1. **Detach the Disks:**

     - If necessary, detach the OS and data disks after decryption.
     
1. **Create a New VM with Encryption at Host Enabled:**

     - Using an ARM template, the Azure CLI, or the Azure Portal, create a new VM.
     
     - When configuring the new VM, set the “Encryption at host” property to true. For example, in an ARM template the property might be under the VM’s `"securityProfile": { "encryptionAtHost": true }`.
     
1. **Attach the Existing Disks:**

     - Reattach your previously decrypted OS and/or data disks to this new VM.
     
1. **Test the New Deployment:**

     - Once the new VM is up and running, verify that everything is working as expected and that the encryption at host property is applied.
     

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

Answer 3

Hi,

Azure Disk Encryption has restrictions. One of them is you can't go from ADE to Encryption at Host or SSE if the disk has ever been encrypted with ADE. Please see excerpts below:

Excerpt from Windows ADE Restrictions:

Azure Disk Encryption does not work for the following scenarios, features, and technology:

• Migrating a VM that is encrypted with ADE, or has ever been encrypted with ADE, to Encryption at Host or server-side encryption with customer-managed keys.

Excerpt from Linux ADE Restrictions:

Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:

• Migrating a VM that is encrypted with ADE, or has ever been encrypted with ADE, to Encryption at Host or server-side encryption with customer-managed keys.

Workaround/Solution

Basic steps that I have actually used successfully in the past to convert from ADE to EAH/SSE below. It is likely there are fine details that I will forget to mention.

• Create snapshot of source OS disk while its VM is Deallocated
• Create new temp VM from snapshot
• Disable ADE on new temp VM, wait until all volumes are Fully Decrypted. At bare minimum this will take minutes. You can verify inside of Windows VM using manage-bde -status . Check that all volumes show Fully Decrypted
• Deallocate new temp VM
• Navigate to the new temp VM's OS disk -- Settings -- Disk Export blade, Generate URLs, Download VHD file. To save time you could download this to an Azure VM in same zone/vnet.
• Use azcopy to upload vhd to storage account in same region and resource group
• Create new disk, for source choose storage blob, select the vhd file you just uploaded, choose OS type, choose Security type, VM generation, disk size/type to match whatever original VM was, leave VM guest state blob blank
• Navigate to the managed disk you just created, click Create VM, fill out various settings as required, including selecting Encryption at host on Disks tab

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 4

Hi Handinata Tanudjaja,

As the original poster cannot accept their own answer, I am reposting it if you would like to Upvote and Accept answer for the benefit of community who faces the same issue can easily find the solution.

Issue:

we have an existing VM with ADE enabled. We don't want to change the existing VM but we want to be able to use a backup of the disk to a new VM with Encrypted At Host (EAH) enabled.

I received the following error when I tried to swap the OS disk: "**Disk security type is not compatible with VM security type" ** I am not sure why I would get this error. I thought that by disabling the ADE of the new backup this, I would be able to use it a VM instance that has EAH enabled.

Solution:

I found out the issue that caused "Disk security type is not compatible with VM security type" message. In order for the OS disk swap to work, I will need to make sure the new VM instance has the same "Security Type" as the old VM that I removed ADE from. Original VM is in Standard Security Type, so I had to make the new VM instance to be in Standard Security Type (it was defaulted "TrustedLaunch").

Mystery solved!

Thank you again for your time and patience throughout this issue. Please remember to "Upvote" and "Accept Answer", so that others in the community facing similar issues can easily find the solution.

Thank you.