Technical Lab: Configure encryption at host for Azure virtual machines
Questionsβ
Question 1 β Multiple Choiceβ
A security team requires that temporary data stored in OS and data disk caches of a VM be encrypted at rest using customer-managed keys. The VM already uses Azure Disk Encryption (ADE). Which statement correctly describes the relationship between ADE and encryption at host in this scenario?
A) ADE and encryption at host cover exactly the same components, so enabling both is redundant and unnecessary.
B) Encryption at host complements ADE by encrypting the OS and data disk caches on the physical host, covering a gap that ADE doesn't fill.
C) ADE already encrypts disk caches in the hypervisor, making it unnecessary to enable encryption at host for this purpose.
D) Encryption at host completely replaces ADE, so ADE must be disabled before activating encryption at host.
Question 2 β Technical Scenarioβ
An administrator tries to register the resource provider needed to use encryption at host and runs the following command:
az feature register \
--name EncryptionAtHost \
--namespace Microsoft.Compute
After a few minutes, they check the status and get "state": "Registered". Then they try to create a VM with encryption at host enabled, but receive an error indicating that the feature is not available in the subscription.
What is the most likely cause of the problem?
A) The command only registered the feature flag, but the administrator didn't run az provider register --namespace Microsoft.Compute after the feature registration.
B) The chosen VM SKU doesn't support encryption at host, regardless of the feature registration.
C) Encryption at host can only be enabled via the Azure portal, not through CLI.
D) The EncryptionAtHost feature flag has been deprecated and replaced by a direct disk policy configuration.
Question 3 β True or Falseβ
Encryption at host can be enabled on an existing VM that is in Running state, without needing to deallocate the VM before applying the configuration.
Question 4 β Technical Scenarioβ
An organization uses customer-managed keys (CMK) stored in Azure Key Vault for managed disk encryption. The administrator wants to extend this protection so that disk caches and the temporary disk are also covered by the same set of CMK, using encryption at host.
What configuration is mandatory for encryption at host to respect the CMK defined in the Disk Encryption Set associated with the VM's disks?
A) Enable soft delete and purge protection in the Key Vault before associating the Disk Encryption Set to the VM.
B) Associate the same Disk Encryption Set to the VM at the time encryption at host is enabled; disk caches will automatically inherit the keys from the set.
C) Create a second Disk Encryption Set exclusive for disk caches, as encryption at host doesn't reuse the set associated with data disks.
D) Configure an access policy in the Key Vault that grants direct permission to the VM's managed identity, without needing a Disk Encryption Set.
Question 5 β Multiple Choiceβ
Which of the following statements correctly describes the scope of protection offered by encryption at host compared to Azure managed disks' default encryption (SSE with PMK)?
A) Default encryption protects data on the physical disk, while encryption at host adds protection only during data transfer between the VM and Azure Storage.
B) Default encryption protects data persisted in Azure Storage, while encryption at host ensures that data in disk caches and temporary disk are also encrypted before leaving the physical host.
C) Both approaches offer the same level of protection; encryption at host is only relevant for regulatory compliance, not for additional technical security.
D) Encryption at host replaces Azure Storage's default encryption, making it necessary to disable SSE when activating encryption at host to avoid double encryption.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Azure Disk Encryption (ADE) operates within the VM's operating system using BitLocker (Windows) or DM-Crypt (Linux) and doesn't cover OS and data disk caches stored temporarily on the physical host. Encryption at host acts at the hypervisor layer, ensuring that this cached data is also encrypted at rest before any persistence. The two features complement rather than completely overlap each other.
The main misconception of the distractors is assuming equivalence or substitution between the two mechanisms. In practice, organizations with strict data-at-rest protection requirements often enable both: ADE protects the OS volume and data in the guest, while encryption at host closes the gap for caches and temporary disk on the host.
Answer Key β Question 2β
Answer: A
The process of enabling encryption at host requires two distinct steps: register the feature flag with az feature register and, after registration is confirmed, run az provider register --namespace Microsoft.Compute for the provider to reflect the change in the subscription. Without the second command, the Azure Compute control plane doesn't recognize the feature as available, even if the flag status is Registered.
The other distractors are incorrect: SKU restrictions generate different and more specific error messages; CLI fully supports creating VMs with encryption at host; and the EncryptionAtHost feature flag is the current and official mechanism.
Answer Key β Question 3β
Answer: False
To enable or disable encryption at host on an existing VM, the VM must be deallocated (Deallocated). Attempting to apply the configuration with the VM in Running or Stopped state (without deallocation) results in an error. This occurs because the change affects the underlying physical host configuration, which can only be modified when the hypervisor is not active for that VM.
This behavior contrasts with other disk operations, such as adding data disks, which can be done with the VM running. Understanding this operational limitation is essential for planning maintenance windows when implementing encryption at host on existing production VMs.
Answer Key β Question 4β
Answer: B
When encryption at host is enabled on a VM that has disks associated with a Disk Encryption Set with CMK, the OS and data disk caches automatically inherit the keys defined in that set. The temporary disk, when covered, uses PMK by default, unless explicitly configured. It's not necessary to create a separate Disk Encryption Set for the caches.
Distractor A addresses real Key Vault requirements (soft delete and purge protection are mandatory for CMK usage), but they are prerequisites for Disk Encryption Set operation in general, not a specific configuration for encryption at host. Choosing A would demonstrate confusion between general CMK prerequisites and the specific key inheritance mechanism in encryption at host.
Answer Key β Question 5β
Answer: B
Azure's default encryption (SSE with PMK or CMK) protects data when it's persisted to Azure Storage, but data that resides temporarily in disk caches and on the temporary disk on the physical host falls outside this scope. Encryption at host resolves this gap by ensuring encryption occurs still on the host, before any data leaves toward persistent storage or remains in cache.
Distractor D is a critical misconception: encryption at host and SSE coexist and complement each other. There's no conflict between them and SSE should not be disabled. Distractor C underestimates the technical value of the feature by reducing it to compliance, ignoring the real attack surface that host caches represent in threat models that consider physical access or hypervisor compromise.