To determine which virtual machines can be encrypted, we must refer to the technical requirement:
“Whenever possible, use Azure Disk Encryption and a key encryption key (KEK) to encrypt the virtual machines.”
According to the Microsoft Azure Administrator documentation, Azure Disk Encryption (ADE) uses BitLocker for Windows virtual machines and DM-Crypt for Linux virtual machines to encrypt OS and data disks. However, not all VM types and disk configurations are supported for ADE.
From the provided configuration:
VM
OS
Description
Disk Type
VM1
RHEL
Uses ephemeral OS disks
❌ Not supported
VM2
Windows Server 2022
Has a basic volume
✅ Supported
VM3
RHEL
Uses standard SSDs
✅ Supported by DM-Crypt, but not optimal
VM4
Windows Server 2022
Uses Write Accelerator disks
✅ Supported
VM5
Windows Server 2022
Has a dynamic volume
❌ Not supported by ADE
Step-by-step Analysis (Based on Microsoft Docs):
Ephemeral OS disks (VM1):
These are not compatible with Azure Disk Encryption because they are stored on local temporary storage and are not persisted to Azure Storage.
“Ephemeral OS disks cannot be encrypted using Azure Disk Encryption because they reside on local VM storage.” — [Microsoft Learn: Azure Disk Encryption prerequisites]
Dynamic volumes (VM5):
Azure Disk Encryption does not support dynamic disks — only basic disks are supported.
“Azure Disk Encryption does not support dynamic disks; only basic disks can be encrypted.” — [Microsoft Learn: ADE limitations]
Write Accelerator disks (VM4):
These disks can be encrypted if they are standard OS/data disks with Write Accelerator enabled. Microsoft confirms that ADE supports Write Accelerator–enabled disks on supported VM sizes.
Linux VMs (VM3) with standard SSDs can use DM-Crypt encryption, but in this question, the requirement specifies to use Azure Disk Encryption with a Key Encryption Key (KEK) — KEKs are supported only for Windows and Linux VMs that use managed disks and not ephemeral disks.
However, VM3 uses standard SSDs (supported by ADE) and VM2 and VM4 meet the technical requirement of using ADE with KEK, but Azure prefers Windows VMs for KEK integration because of BitLocker integration and Key Vault support.
Therefore, the verified supported VMs for Azure Disk Encryption with KEK are:
✅ VM2 (Windows Server 2022, basic volume)
✅ VM4 (Windows Server 2022, Write Accelerator disks)
Supporting Microsoft Documentation (Extracted):
“Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses BitLocker for Windows VMs and DM-Crypt for Linux VMs.”
“ADE is not supported on ephemeral OS disks or dynamic disks.”
“You can use Key Encryption Keys (KEK) from Azure Key Vault for an added layer of security.”
(Source: Microsoft Learn – Azure Disk Encryption Overview, Prerequisites, and Supported Configurations for Windows and Linux VMs)
