This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hey all, i have a quite a huge problem. Im creating key in key vault and later im using it to create DES, later this DES is being used during VM creation. It was fine until i added key rotation policy for key vault. Now after expiration of a key vault VM cannot be deployed because of DES tries to access expired KV. How to tackle this problem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 31%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Hi Robos,
Azure Disk Encryption (ADE) does not support key auto-rotation. When a key in Azure Key Vault is rotated, ADE continues to use the original key. If this key expires or is disabled, ADE cannot access it, causing VM deployment to fail.
When using Azure Disk Encryption (ADE) with a key vault, Although Azure Key Vault now has key auto-rotation, it isn't currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated. When a key is rotated in the key vault, Azure Disk Encryption will continue to use the original encryption key, even after the key has been auto-rotated. This means that if the original key is disabled or expired, Azure Disk Encryption will fail to access it, causing issues during VM deployment.
To address this problem, you should ensure that the original encryption key remains enabled and accessible for Azure Disk Encryption. If you want to use key rotation, you will need to manage the lifecycle of the keys carefully and ensure that the old key is not disabled until you are certain that all resources dependent on it have been updated to use the new key.
https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-key-vault?tabs=azure-portal#azure-disk-encryption-and-auto-rotation
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#automatic-key-rotation-of-customer-managed-keys
This should help prevent issues during VM deployment and ensure your encryption keys are managed effectively.
Hope the above suggestion helps! Please let us know do you have any further queries.
Please do consider to “Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.
Hi Robos,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful, this can be beneficial to other community members. And, if you have any further query do let us know.
Hi Robos,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful, this can be beneficial to other community members. And, if you have any further query do let us know.