Skip to main content

Theoretical Foundation: Configure Encryption at Host for Azure Virtual Machines

1. Initial Intuition​

Imagine you have a physical server in a datacenter. The data on the disk is encrypted. But when the server reads this data to process it, it passes through a temporary storage area on the physical server itself, called cache, before reaching the CPU. This temporary area may remain in clear text (unencrypted), even though the main disk is encrypted.

In Azure, the same scenario exists. A VM has its disk encrypted, but the physical server (the host) that hosts that VM has cache and temporary storage areas where data can exist momentarily without encryption.

Encryption at Host solves exactly this blind spot: it ensures that all data associated with a VM is encrypted even on the Azure physical host, covering OS and data disk cache, temporary disks, and cached data streams, forming complete end-to-end encryption protection.

It's the difference between encrypting only the vault and also encrypting the table where the vault is opened.

2. Context​

The disk encryption landscape in Azure​

To understand Encryption at Host, you first need to understand the other forms of disk encryption in Azure:

100%
Scroll para zoom Β· Arraste para mover Β· πŸ“± Pinch para zoom no celular

SSE (Storage Service Encryption) is automatic and covers data at rest in managed disks, but doesn't cover the cache of the physical host where the VM runs.

Azure Disk Encryption (ADE) encrypts inside the VM using BitLocker (Windows) or DM-Crypt (Linux), but doesn't eliminate the host gap for temporary disks and cache.

Encryption at Host closes the gap: applies encryption directly on the physical host before any data is written to Azure Storage, covering what other options leave uncovered.

Why Encryption at Host exists​

The technical gap that motivates Encryption at Host is as follows: managed disks have SSE encryption by default, but before data is written back to storage, it passes through host cache (RAM or temporary NVMe on the physical server). This cache may not be encrypted, creating a window where sensitive data is exposed on Azure hardware.

For workloads with compliance requirements like PCI-DSS, HIPAA, or ISO 27001, this gap is unacceptable. Encryption at Host ensures there's no point in the data lifecycle where it exists without encryption, even on Azure physical hardware.

3. Building Concepts​

3.1 What is the "host" in Azure context​

In Azure, your VMs run on physical servers called hosts (or physical nodes). These hosts are high-density machines that host multiple VMs from different customers, with isolation through hypervisor (Hyper-V).

The physical host has its own hardware components, including:

  • Disk cache: high-speed temporary storage area for managed disk data
  • Temporary disk (Temp Disk): an ephemeral disk present in many VM SKUs, non-persistent, that exists only on the local host

These components are outside the scope of standard SSE encryption and ADE.

3.2 What Encryption at Host specifically encrypts​

100%
Scroll para zoom Β· Arraste para mover Β· πŸ“± Pinch para zoom no celular

With Encryption at Host enabled:

  • OS and data disk cache: encrypted with PMK (Platform Managed Keys) or CMK (Customer Managed Keys)
  • Temporary disk: encrypted with PMK or CMK (when configured with CMK, requires Disk Encryption Set)
  • Cached data streams: the complete data pipeline is encrypted

3.3 Encryption keys: PMK vs. CMK​

Platform Managed Keys (PMK): keys generated, stored, and managed completely by Microsoft. The customer has no access or control over the keys. This is the default mode.

Customer Managed Keys (CMK): keys generated and stored by the customer in Azure Key Vault or Azure Managed HSM. The customer controls the key lifecycle (rotation, revocation, expiration). Requires a Disk Encryption Set as an intermediary.

100%
Scroll para zoom Β· Arraste para mover Β· πŸ“± Pinch para zoom no celular

3.4 Disk Encryption Set​

The Disk Encryption Set is an ARM resource that serves as an intermediary between managed disks (and Encryption at Host) and Key Vault. It:

  • Receives a managed identity (System-assigned Managed Identity)
  • This identity receives Get, WrapKey, UnwrapKey permissions on Key Vault
  • Disks use the Disk Encryption Set to access keys from Key Vault

3.5 Prerequisite: register the feature in subscription​

Before using Encryption at Host, the feature needs to be registered in the subscription:

az feature register \
  --name EncryptionAtHost \
  --namespace Microsoft.Compute

This is different from other resources: Encryption at Host requires explicit opt-in at the subscription level before it can be enabled on VMs.

3.6 VM SKU support​

Encryption at Host is not supported on all VM SKUs. Unsupported SKUs include some older or basic capacity types:

  • Not supported: B-series (Burstable), A-series (basic), some Lsv2 versions
  • Supported: Dsv3, Dsv4, Esv3, Esv4, Fsv2, M-series, and most modern SKUs

To check if a specific SKU supports Encryption at Host:

az vm list-skus \
  --location "brazilsouth" \
  --resource-type virtualMachines \
  --query "[?capabilities[?name=='EncryptionAtHostSupported' && value=='True']].name" \
  --output table

4. Structural View​

Coverage comparison between encryption methods​

100%
Scroll para zoom Β· Arraste para mover Β· πŸ“± Pinch para zoom no celular

Data flow with Encryption at Host enabled​

100%
Scroll para zoom Β· Arraste para mover Β· πŸ“± Pinch para zoom no celular

The critical point is that encryption and decryption occur on the physical host, not inside the VM. The VM itself operates with clear text data (as it always did), but the host never maintains clear data outside the VM scope.

5. Practical Operation​

Encryption at Host enablement cycle​

100%
Scroll para zoom Β· Arraste para mover Β· πŸ“± Pinch para zoom no celular

Non-obvious behaviors​

Enabling on existing VM requires deallocation. It's not possible to enable Encryption at Host on a running VM. The VM must be stopped (deallocated), not just stopped. "Stopped" in Azure doesn't release hardware; only "deallocated" releases the physical host and allows reconfiguration.

The temporary disk is not persistent, but may contain sensitive data. The temporary disk (D: on Windows, /dev/sdb on many Linux distros) is recreated on each VM allocation. Without Encryption at Host, data left on it could potentially be accessed if the physical host is reused by another VM from the same or different customer (although Azure zeros memory between allocations). With EoH, this data is encrypted even on the host.

Encryption at Host doesn't replace Azure Disk Encryption. They are complementary. ADE encrypts inside the VM (protection against VHD file access) while EoH encrypts on the host (protection against physical hardware access). Using both is the highest level of protection available outside of Confidential Computing.

Combination with ADE has specific considerations. When ADE and EoH are used together, the OS disk is doubly encrypted: first by ADE (inside the VM) and then by EoH (on the host). The temporary disk, which ADE doesn't natively encrypt on Linux, becomes covered by EoH.

Ultra disks and Premium SSD v2 have different behavior. For these disk types, Encryption at Host behaves like SSE with CMK for cache, but implementation may vary. Check the latest documentation for specific details on each disk type.

6. Implementation Methods​

Azure Portal​

When to use: manual configuration of individual VMs, visual verification

For new VM:

  1. Portal > Virtual Machines > + Create
  2. Disks tab
  3. Encryption section > enable Encryption at host
  4. If using CMK: select Key management and choose the Disk Encryption Set
  5. Complete creation normally

For existing VM (must be deallocated):

  1. Stop VM (ensure it's Deallocated, not just Stopped)
  2. Portal > VM > Disks > Additional settings
  3. Enable Encryption at host
  4. Save
  5. Start the VM

Limitation: not reproducible, no version control.

Azure CLI​

# Step 1: Check and register feature in subscription
az feature show \
  --name EncryptionAtHost \
  --namespace Microsoft.Compute \
  --query "properties.state" \
  --output tsv

# If not "Registered":
az feature register \
  --name EncryptionAtHost \
  --namespace Microsoft.Compute

# Wait for registration (may take a few minutes)
az feature show \
  --name EncryptionAtHost \
  --namespace Microsoft.Compute

# After registration, propagate to resource provider
az provider register --namespace Microsoft.Compute

# Step 2: Check if SKU supports EoH
az vm list-skus \
  --location "brazilsouth" \
  --resource-type virtualMachines \
  --query "[?name=='Standard_D4s_v5'].capabilities[?name=='EncryptionAtHostSupported'].value" \
  --output tsv

# Step 3a: Create VM with EoH enabled (PMK - Platform Managed Keys)
az vm create \
  --resource-group "rg-vms-seguras" \
  --name "vm-prod-001" \
  --image "Win2022Datacenter" \
  --size "Standard_D4s_v5" \
  --encryption-at-host \
  --admin-username "azureadmin" \
  --admin-password "<secure-password>" \
  --location "brazilsouth"

# Step 3b: Create VM with EoH enabled and CMK (Customer Managed Keys)
# First create Key Vault and Disk Encryption Set

# Create Key Vault with purge protection (mandatory for CMK on disks)
az keyvault create \
  --name "kv-disk-encryption" \
  --resource-group "rg-vms-seguras" \
  --location "brazilsouth" \
  --enable-purge-protection true \
  --sku premium

# Create key in Key Vault
az keyvault key create \
  --vault-name "kv-disk-encryption" \
  --name "disk-encryption-key" \
  --protection software \
  --kty RSA \
  --size 4096

KEY_URL=$(az keyvault key show \
  --vault-name "kv-disk-encryption" \
  --name "disk-encryption-key" \
  --query "key.kid" --output tsv)

KV_ID=$(az keyvault show \
  --name "kv-disk-encryption" \
  --resource-group "rg-vms-seguras" \
  --query "id" --output tsv)

# Create Disk Encryption Set
az disk-encryption-set create \
  --name "des-prod" \
  --resource-group "rg-vms-seguras" \
  --location "brazilsouth" \
  --key-url "$KEY_URL" \
  --source-vault "$KV_ID" \
  --encryption-type EncryptionAtRestWithCustomerKey

# Give permission to Disk Encryption Set in Key Vault
DES_IDENTITY=$(az disk-encryption-set show \
  --name "des-prod" \
  --resource-group "rg-vms-seguras" \
  --query "identity.principalId" --output tsv)

az keyvault set-policy \
  --name "kv-disk-encryption" \
  --object-id "$DES_IDENTITY" \
  --key-permissions get wrapKey unwrapKey

DES_ID=$(az disk-encryption-set show \
  --name "des-prod" \
  --resource-group "rg-vms-seguras" \
  --query "id" --output tsv)

# Create VM with EoH + CMK
az vm create \
  --resource-group "rg-vms-seguras" \
  --name "vm-prod-cmk-001" \
  --image "Ubuntu2204" \
  --size "Standard_D4s_v5" \
  --encryption-at-host \
  --os-disk-encryption-set "$DES_ID" \
  --admin-username "azureadmin" \
  --ssh-key-values ~/.ssh/id_rsa.pub \
  --location "brazilsouth"

# Step 4: Enable EoH on existing VM (must be deallocated)
# Deallocate VM first
az vm deallocate \
  --resource-group "rg-vms-seguras" \
  --name "vm-existente"

# Enable Encryption at Host
az vm update \
  --resource-group "rg-vms-seguras" \
  --name "vm-existente" \
  --set securityProfile.encryptionAtHost=true

# Start VM again
az vm start \
  --resource-group "rg-vms-seguras" \
  --name "vm-existente"

# Verify EoH is enabled
az vm show \
  --resource-group "rg-vms-seguras" \
  --name "vm-prod-001" \
  --query "securityProfile.encryptionAtHost" \
  --output tsv

# Disable EoH (also requires deallocation)
az vm deallocate \
  --resource-group "rg-vms-seguras" \
  --name "vm-prod-001"

az vm update \
  --resource-group "rg-vms-seguras" \
  --name "vm-prod-001" \
  --set securityProfile.encryptionAtHost=false

az vm start \
  --resource-group "rg-vms-seguras" \
  --name "vm-prod-001"

Azure PowerShell​

# Check feature registration
Get-AzProviderFeature `
  -FeatureName "EncryptionAtHost" `
  -ProviderNamespace "Microsoft.Compute"

# Register if necessary
Register-AzProviderFeature `
  -FeatureName "EncryptionAtHost" `
  -ProviderNamespace "Microsoft.Compute"

# Check SKU support
Get-AzVMSize -Location "brazilsouth" |
  Where-Object { $_.Name -eq "Standard_D4s_v5" } |
  Select-Object Name

# Create VM with EoH via PowerShell
$vmConfig = New-AzVMConfig -VMName "vm-prod-001" -VMSize "Standard_D4s_v5"

# Enable EoH in config
$vmConfig = Set-AzVMSecurityProfile `
  -VM $vmConfig `
  -EncryptionAtHost $true

$cred = Get-Credential -Message "Admin credentials"

$vmConfig = Set-AzVMOperatingSystem `
  -VM $vmConfig `
  -Windows `
  -ComputerName "vm-prod-001" `
  -Credential $cred

$vmConfig = Set-AzVMSourceImage `
  -VM $vmConfig `
  -PublisherName "MicrosoftWindowsServer" `
  -Offer "WindowsServer" `
  -Skus "2022-Datacenter" `
  -Version "latest"

$vmConfig = Add-AzVMNetworkInterface `
  -VM $vmConfig `
  -Id $nicId

New-AzVM `
  -ResourceGroupName "rg-vms-seguras" `
  -Location "brazilsouth" `
  -VM $vmConfig

# Enable on existing VM
Stop-AzVM `
  -ResourceGroupName "rg-vms-seguras" `
  -Name "vm-existente" `
  -Force

Update-AzVM `
  -ResourceGroupName "rg-vms-seguras" `
  -VM (Get-AzVM -ResourceGroupName "rg-vms-seguras" -Name "vm-existente") `
  -EncryptionAtHost $true

Start-AzVM `
  -ResourceGroupName "rg-vms-seguras" `
  -Name "vm-existente"

# Check status
(Get-AzVM -ResourceGroupName "rg-vms-seguras" -Name "vm-prod-001").SecurityProfile.EncryptionAtHost

Bicep​

// Disk Encryption Set for CMK
resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = {
  name: 'des-prod'
  location: 'brazilsouth'
  identity: {
    type: 'SystemAssigned'  // Managed Identity to access Key Vault
  }
  properties: {
    encryptionType: 'EncryptionAtRestWithCustomerKey'
    activeKey: {
      keyUrl: keyVaultKeyUri
sourceVault: {
        id: keyVaultId
      }
    }
  }
}

// VM with Encryption at Host enabled
resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  name: 'vm-prod-001'
  location: 'brazilsouth'
  properties: {
    hardwareProfile: {
      vmSize: 'Standard_D4s_v5'
    }
    securityProfile: {
      encryptionAtHost: true  // Enable Encryption at Host
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftWindowsServer'
        offer: 'WindowsServer'
        sku: '2022-Datacenter'
        version: 'latest'
      }
      osDisk: {
        name: 'vm-prod-001-osdisk'
        createOption: 'FromImage'
        managedDisk: {
          storageAccountType: 'Premium_LRS'
          // If using CMK, add diskEncryptionSet
          diskEncryptionSet: {
            id: diskEncryptionSet.id
          }
        }
      }
      dataDisks: [
        {
          lun: 0
          name: 'vm-prod-001-datadisk'
          createOption: 'Empty'
          diskSizeGB: 128
          managedDisk: {
            storageAccountType: 'Premium_LRS'
            diskEncryptionSet: {
              id: diskEncryptionSet.id
            }
          }
        }
      ]
    }
    osProfile: {
      computerName: 'vm-prod-001'
      adminUsername: adminUsername
      adminPassword: adminPassword
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nic.id
        }
      ]
    }
  }
}

7. Control and Security​

Azure Policy to enforce Encryption at Host​

To ensure all VMs created in the organization have Encryption at Host enabled, use Azure Policy:

# Built-in policy: "Virtual machines should encrypt temp disks, caches, and data flows"
# Policy ID: 0961003e-5a0a-4549-abde-af6a37f2724d

az policy assignment create \
  --name "enforce-encryption-at-host" \
  --display-name "VMs must have Encryption at Host enabled" \
  --policy "0961003e-5a0a-4549-abde-af6a37f2724d" \
  --scope "/subscriptions/<sub-id>" \
  --params '{"effect": {"value": "Deny"}}'

With this policy as Deny, any attempt to create a VM without EoH will be blocked.

Audit VMs without Encryption at Host​

# List all VMs without Encryption at Host enabled
az graph query -q "
Resources
| where type == 'microsoft.compute/virtualmachines'
| where isnull(properties.securityProfile.encryptionAtHost) or properties.securityProfile.encryptionAtHost == false
| project name, resourceGroup, location, subscriptionId"

# Via CLI in a subscription
az vm list \
  --query "[?securityProfile.encryptionAtHost != true].{Name:name, RG:resourceGroup, EoH:securityProfile.encryptionAtHost}" \
  --output table

CMK key rotation​

For Customer Managed Keys, regular rotation is a mandatory security practice:

# Create new key version in Key Vault
az keyvault key rotate \
  --vault-name "kv-disk-encryption" \
  --name "disk-encryption-key"

# Get URL of the new version
NEW_KEY_URL=$(az keyvault key show \
  --vault-name "kv-disk-encryption" \
  --name "disk-encryption-key" \
  --query "key.kid" --output tsv)

# Update Disk Encryption Set with new key version
az disk-encryption-set update \
  --name "des-prod" \
  --resource-group "rg-vms-seguras" \
  --key-url "$NEW_KEY_URL"

# Azure automatically re-encrypts disks with the new key
# (asynchronous process, takes a few minutes)

8. Decision Making​

When to use each encryption approach​

SituationSolutionReason
Basic compliance requirement (data at rest)Default SSE (automatic)Already enabled by default, no additional configuration
Sensitive data with requirement of no exposure on hostEncryption at Host (PMK)Covers host cache gap without CMK complexity
Maximum compliance (PCI-DSS Level 1, HIPAA, GDPR)Encryption at Host + CMKFull control over keys + complete coverage
Protection within VM as well (VHD access)ADE + Encryption at HostADE protects within VM, EoH protects on host
Need to immediately revoke access to all dataCMK (disable key in Key Vault)Revoking CMK makes all data immediately inaccessible
Short-lived ephemeral VM (< 1 hour)Default SSE may be sufficientRisk is lower; evaluate specific compliance requirement

PMK vs. CMK for Encryption at Host​

AspectPMK (Platform Managed)CMK (Customer Managed)
Control over keysNoneTotal
Operational complexityMinimalRequires Key Vault, Disk Encryption Set, IAM
Key rotationAutomatic by MicrosoftManual or automatic via Key Vault
Additional costNoneKey Vault Premium + key operations
Emergency revocationNot availableYes (disable key in Key Vault)
Compliance requirementMost scenariosPCI-DSS, HIPAA, government requirements

9. Best Practices​

Enable Encryption at Host on all production VMs by default. The performance overhead is minimal (practically imperceptible for most workloads) and the security gain is significant. Use Azure Policy with Deny effect to ensure no production VM is created without EoH.

Register the feature in the subscription before needing it, not at deploy time. The EncryptionAtHost feature registration is asynchronous and can take several minutes. In automated deployment pipelines, this delay can cause failures if the feature is not registered. Register in advance as part of the provisioning process for new subscriptions.

Use CMK only when there's a real need for key control. CMK adds significant operational complexity: Key Vault needs purge protection, Disk Encryption Set needs correct permissions, key rotation needs to be managed. For most scenarios, PMK with EoH is sufficient. Use CMK only when compliance requires customer control of keys.

If using CMK, enable soft delete and purge protection on Key Vault. These are prerequisites for using Key Vault with CMK on disks. Soft delete retains deleted keys for a period (default 90 days), and purge protection prevents permanent deletion before the period expires. Without purge protection, you could accidentally make VMs inaccessible.

Check the SKU before planning EoH. Don't assume all SKUs support EoH. Validate with az vm list-skus before committing to the architecture. This is especially important when migrating legacy VMs to new SKUs.

For existing VMs, plan the maintenance window. Enabling EoH requires VM deallocation. For critical VMs, coordinate a maintenance window. The VM will be unavailable for a few minutes during deallocation, enablement, and startup.

10. Common Errors​

ErrorWhy it happensHow to avoid
VM creation failure with EoH: "EncryptionAtHost not registered"Feature not registered in subscriptionRegister feature before creating any VM with EoH
Creation failure: "SKU does not support EncryptionAtHost"Incompatible SKU selectedCheck SKU support before deployment
VM cannot be updated to enable EoH without deallocationVM running, attempt without deallocateAlways deallocate before enabling/disabling EoH
Disk Encryption Set without Key Vault permissionManaged Identity not configured correctlyVerify DES role assignment on Key Vault after creation
Confusing EoH with ADESimilar names, different functionsEoH: encryption on physical host; ADE: encryption within VM with BitLocker/DM-Crypt
Key Vault without purge protection failing for CMKMandatory requirement not metEnable purge protection when creating Key Vault
Assuming EoH replaces ADELack of understanding of layersThey are complementary; EoH does not encrypt within VM

The most critical error​

Creating production VMs without registering the EoH feature in the subscription and without policy that enforces it. The result is a fleet of VMs that appears to be compliant (SSE active) but has the host cache gap exposed. In a compliance audit, this gap can result in non-compliance with requirements like PCI-DSS.

11. Operation and Maintenance​

Monitor EoH status across the organization​

# Resource Graph: all VMs with/without EoH across the organization
az graph query -q "
Resources
| where type == 'microsoft.compute/virtualmachines'
| extend eohEnabled = tobool(properties.securityProfile.encryptionAtHost)
| summarize count() by eohEnabled
| order by eohEnabled desc"

# List specific VMs without EoH by subscription
az graph query -q "
Resources
| where type == 'microsoft.compute/virtualmachines'
| where isnull(properties.securityProfile.encryptionAtHost) 
      or properties.securityProfile.encryptionAtHost == false
| project name, resourceGroup, location, subscriptionId, vmSize=properties.hardwareProfile.vmSize
| order by subscriptionId, resourceGroup"

# Check compliance via Azure Policy
az policy state list \
  --policy-assignment "enforce-encryption-at-host" \
  --filter "complianceState eq 'NonCompliant'" \
  --query "[].{VM: resourceId, State: complianceState}" \
  --output table

Check re-encryption status after CMK rotation​

# Check if disks are using the latest key version
az disk list \
  --resource-group "rg-vms-seguras" \
  --query "[?encryption.diskEncryptionSetId!=null].{Name:name, KeyVersion:encryption.diskEncryptionSetId}" \
  --output table

# Check Disk Encryption Set migration status
az disk-encryption-set show \
  --name "des-prod" \
  --resource-group "rg-vms-seguras" \
  --query "provisioningState"

Limits and considerations​

AspectValue/Detail
Supported SKUsMost modern SKUs (check by region)
Performance overheadMinimal (~1-3% on I/O intensive workloads)
ADE compatibilityCan be used together
Azure Spot VMs compatibilitySupported
Scale Sets compatibilitySupported (define in Scale Set policy)
Availability by regionCheck: some regions may not support all SKUs

12. Integration and Automation​

Enable EoH on Scale Sets​

resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-03-01' = {
  name: 'vmss-prod'
  location: 'brazilsouth'
  properties: {
    virtualMachineProfile: {
      securityProfile: {
        encryptionAtHost: true  // EoH for all VMs in the Scale Set
      }
      storageProfile: {
        imageReference: {
          publisher: 'Canonical'
          offer: '0001-com-ubuntu-server-jammy'
          sku: '22_04-lts-gen2'
          version: 'latest'
        }
        osDisk: {
          createOption: 'FromImage'
          managedDisk: {
            storageAccountType: 'Premium_LRS'
          }
        }
      }
    }
  }
}

Azure Policy Initiative for VM security​

# Create initiative that combines multiple VM security policies
az policy set-definition create \
  --name "vm-security-baseline" \
  --display-name "VM Security Baseline" \
  --definitions '[
    {
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
      "policyDefinitionReferenceId": "encryption-at-host"
    },
    {
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b66f9f6-c26a-4e3f-ae73-2e2b13e53d35",
      "policyDefinitionReferenceId": "azure-disk-encryption"
    }
  ]' \
  --params '{}'

# Assign initiative to subscription
az policy assignment create \
  --name "vm-security-baseline-assignment" \
  --policy-set-definition "vm-security-baseline" \
  --scope "/subscriptions/<sub-id>"

Mass enablement automation​

# Enable EoH on all VMs in a Resource Group (with maintenance window)
$vms = Get-AzVM -ResourceGroupName "rg-producao"

foreach ($vm in $vms) {
  if (-not $vm.SecurityProfile.EncryptionAtHost) {
    Write-Output "Enabling EoH on: $($vm.Name)"

    # Deallocate
    Stop-AzVM -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name -Force

    # Enable EoH
    $vm.SecurityProfile = New-Object Microsoft.Azure.Management.Compute.Models.SecurityProfile
    $vm.SecurityProfile.EncryptionAtHost = $true
    Update-AzVM -ResourceGroupName $vm.ResourceGroupName -VM $vm

    # Start
    Start-AzVM -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name

    Write-Output "EoH enabled and VM restarted: $($vm.Name)"
  } else {
    Write-Output "EoH already enabled: $($vm.Name)"
  }
}

13. Final Summary​

Essential points:

  • Encryption at Host encrypts data on the Azure physical host before any write to storage, covering OS and data disk cache and temporary disk
  • Default SSE does not cover host cache; EoH fills this gap, creating end-to-end encryption
  • Requires feature registration EncryptionAtHost in subscription before use
  • Enabling/disabling on existing VMs requires the VM to be deallocated (not just stopped)
  • Supports PMK (Microsoft-managed keys) or CMK (customer-managed keys via Key Vault + Disk Encryption Set)
  • Not supported on all VM SKUs; check with az vm list-skus

Critical differences:

  • EoH vs. ADE (Azure Disk Encryption): EoH encrypts on physical host (cache, temporary disk); ADE encrypts within VM with BitLocker/DM-Crypt. They are complementary, not substitutes
  • EoH vs. SSE: SSE is automatic in Azure Storage (doesn't cover host cache); EoH covers what SSE leaves uncovered
  • PMK vs. CMK: PMK is managed by Microsoft (simple, no control); CMK gives full control to customer but requires Key Vault with purge protection and Disk Encryption Set
  • Stopped vs. Deallocated: to change EoH requires Deallocated (hardware released), not just Stopped (VM paused but still on host)

What needs to be remembered for AZ-104:

  • The feature must be registered with az feature register --name EncryptionAtHost --namespace Microsoft.Compute
  • The parameter in CLI is --encryption-at-host
  • In ARM/Bicep it's securityProfile.encryptionAtHost: true
  • Requires VM deallocated to enable on existing VM
  • The temporary disk (ephemeral) is encrypted with EoH but is not persistent between deallocations
  • For CMK, Key Vault must have --enable-purge-protection true
  • The built-in policy that checks EoH is: "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" (ID: 0961003e-5a0a-4549-abde-af6a37f2724d)