Convert PMK to CMK Encryption on Azure VMs

Introduction

Azure encrypts data at rest by default, but not all encryption models offer the same level of control. Most organizations start with platform managed keys because they require zero maintenance. As environments mature or compliance requirements change, moving to customer managed keys becomes necessary. This guide explains the differences between PMK and CMK, when a migration makes sense, and how to correctly convert Azure VM disks from PMK to CMK.

PMK and CMK Concept Overview

Azure uses envelope encryption. Every resource is encrypted with a data encryption key and that key is then protected by a higher-level key. When the higher key is managed by Microsoft, it is a platform managed key. When it is stored and controlled in your own Azure Key Vault or Managed HSM, it becomes a customer managed key.

Platform managed keys
• Azure creates, rotates, stores, and protects keys with no customer involvement
• Easiest option with minimal operational overhead
• Limited control or auditability

Customer managed keys
• You create, import, rotate, disable, or revoke keys as needed
• Keys live in your own vault, giving you ownership and audit logs
• Required for many regulated workloads
• Higher operational responsibility and risk if improperly managed

Microsoft documentation confirms PMK is appropriate for most workloads, while CMK is recommended when compliance, separation of duties, or strict governance is required.

Why Migrate from PMK to CMK

Common reasons customers switch to CMK include
• Regulatory requirements mandating customer-controlled keys
• Internal policy requiring dedicated vaults, rotation, and access logs
• Workloads handling high-sensitivity data
• Need to prevent Microsoft from accessing, rotating, or revoking keys
• Desire for a unified organizational encryption standard

Even organizations without formal compliance needs often choose CMK to future-proof their environment and enforce consistent security governance across cloud services.

Prerequisites for CMK

Before migrating disks, the following must exist
• Azure Key Vault or Managed HSM in the same region as the disks
• A generated or imported cryptographic key
• Soft-delete enabled on the vault
• Purge protection enabled on the vault
• VM or managed disk identity with wrap, unwrap, and get permissions
• Disk Encryption Set created and linked to the CMK

Microsoft requires soft-delete and purge protection for any CMK configuration to protect against accidental or malicious deletion. If a CMK is lost, all encrypted disks become permanently inaccessible.

Migration Steps for Azure VM Disks

Below is the high-level process for converting existing Azure VM disks from PMK to CMK.

  1. Create or select your Azure Key Vault or Managed HSM
  2. Create or import the customer managed key
  3. Assign a managed identity to the VM or specific disks
  4. Grant the managed identity permissions to use the key
  5. Create a Disk Encryption Set referencing your vault and key
  6. Stop the VM (required for OS disk migration)
  7. Update the managed disk configuration to reference the Disk Encryption Set
  8. Start the VM and validate encryption status

After rehydration, the disk is encrypted with the CMK instead of a PMK. Azure does not decrypt and re-encrypt data. It simply changes key wrapping to the new key hierarchy.

Important Notes and Limitations

• A Disk Encryption Set must exist in the same region as the vault
• Moving from CMK back to PMK is not supported without creating a new disk
• Incremental snapshots created before migration remain PMK encrypted
• Disk swaps may cause downtime for OS disks
• You are responsible for CMK lifecycle, monitoring, and rotation after migration

Azure’s documentation notes that if a CMK becomes disabled or deleted, disks immediately become unusable. This is why enabling soft-delete and locking down access is essential.

CMK Use Cases Beyond Virtual Machines

Customer managed keys apply to more than VM disks. Azure services that support CMK include
• Azure Storage accounts
• Azure SQL and Azure SQL Managed Instance
• Recovery Services Vault backups
• Azure Kubernetes Service (AKS) disk encryption
• Azure Cognitive Search
• Azure App Service environment logs
• Azure Key Vault Secrets and Certificates (for double encryption)

Using a centralized CMK strategy makes it easier to enforce consistent encryption governance across all Azure services.

Best Practices for CMK Governance

When implementing CMK across your environment
• Enable soft-delete and purge protection on all vaults
• Use role-based access control and least-privilege principles
• Enable Key Vault logging to monitor key usage
• Establish a rotation policy and test it before enforcing it widely
• Implement resource locks to protect vaults and keys
• Document your key lifecycle processes and critical contacts
• Use managed identities instead of service principals whenever possible

Azure’s guidance stresses that CMK adoption is a security upgrade only when the processes surrounding key management are implemented correctly.

Summary

Migrating from PMK to CMK gives organizations stronger ownership over encryption, better alignment with compliance requirements, and deeper auditability. Converting VM disks is straightforward when the correct prerequisites are in place, but it introduces responsibility for maintaining, protecting, and rotating keys safely.

For regulated industries, highly sensitive workloads, or strict governance environments, CMK is the preferred and often required approach. For general workloads, PMK remains a good balance of security and simplicity.

Found this useful? Share with others:

Follow by Email
LinkedIn
Share
X (Twitter)
Reddit
Facebook

people found this article helpful. What about you?