Skip to content

Add SecurityEncryptionType and SecureVMDiskEncryptionSet to Add-AzVMDataDisk for Confidential VM data disk encryption#29259

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/add-powershell-support-for-confidential-disks
Draft

Add SecurityEncryptionType and SecureVMDiskEncryptionSet to Add-AzVMDataDisk for Confidential VM data disk encryption#29259
Copilot wants to merge 2 commits intomainfrom
copilot/add-powershell-support-for-confidential-disks

Conversation

Copy link
Contributor

Copilot AI commented Mar 10, 2026
edited
Loading

Confidential VMs (CVMs) already support confidential encryption for OS disks, but data disks lacked equivalent support — leaving data disk contents accessible outside the trusted execution environment. This PR closes that gap by enabling Confidential Disk Encryption (CDDE) for data disks via Add-AzVMDataDisk.

Changes

AddAzureVMDataDiskCommand.cs

  • Added -SecurityEncryptionType (values: DiskWithVMGuestState, VMGuestStateOnly, NonPersistedTPM) scoped to VmManagedDiskParameterSet
  • Added -SecureVMDiskEncryptionSet (ARM resource ID of a DES with ConfidentialVmEncryptedWithCustomerKey encryption type) scoped to VmManagedDiskParameterSet
  • Execution path lazily creates ManagedDisk.SecurityProfile when either parameter is bound, consistent with how Set-AzVMOSDisk handles the same properties for OS disks

Help / Docs

  • Updated Add-AzVMDataDisk.md syntax block, added parameter entries, and new Example 6 demonstrating CVM data disk creation

Tests

  • New Test-AddAzVMDataDiskWithSecurityEncryption PS function covering: SecurityEncryptionType-only, and combined SecurityEncryptionType + SecureVMDiskEncryptionSet scenarios
  • Corresponding [Fact] in VirtualMachineProfileTests.cs

Example

$vm = Add-AzVMDataDisk -VM $vm -Name "ConfidentialData" -Lun 0 -CreateOption Attach `
    -ManagedDiskId $diskId -StorageAccountType 'Premium_LRS' `
    -SecurityEncryptionType 'DiskWithVMGuestState' `
    -SecureVMDiskEncryptionSet $desId

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 1n8vsblobprodwus2184.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • 40vvsblobprodwus2135.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • 6yfvsblobprodwus2121.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • 7q7vsblobprodwus2144.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • 84hvsblobprodwus2148.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • 8wdvsblobprodwus2137.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • b53vsblobprodwus2154.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • ba0vsblobprodwus2130.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • balvsblobprodwus2129.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • cffvsblobprodwus218.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • d94vsblobprodwus2119.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • ezcvsblobprodwus2170.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • faxvsblobprodwus2122.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • g3xvsblobprodwus2151.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • i01vsblobprodwus216.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • jhgvsblobprodwus2167.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • k4pvsblobprodwus2140.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • ldhvsblobprodwus2153.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • mt2vsblobprodwus2110.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • nudvsblobprodwus214.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • p2tvsblobprodwus2189.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • tn2vsblobprodwus2124.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • wlnvsblobprodwus2188.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)
  • y5lvsblobprodwus2179.vsblob.vsassets.io
    • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute/Compute.csproj (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Powershell support for Confidential data disk encryption: creating data disk with new security type and confidential DES</issue_title>
<issue_description>The Ask: Add support for creating data disk with new security type and confidential DES

Business need:

Currently, while Confidential VMs (CVMs) support confidential encryption for operating system disks, data disks still rely on non-confidential methods, creating a critical gap in Azure’s sovereignty promise for critical customers like G42. This gap affects not only migrated VMs but also newly provisioned CVMs, leaving sensitive customer data on data disks exposed and undermining the value proposition of Azure Confidential Computing (ACC). For G42, whose workloads are largely legacy IaaS applications migrated via Azure Migrate, the inability to confidentially encrypt data disks means that sensitive information remains vulnerable to host access, failing to meet customer expectations for end-to-end confidentiality and regulatory compliance. The absence of CDDE is quickly apparent to auditors and regulators, posing significant reputational and onboarding risks, especially as risk acceptance by customers is volatile and may not persist with changes in personnel or regulatory scrutiny. Without a committed timeline for CDDE, customers question Azure’s commitment to security and may reconsider the value of CVMs, opting instead for alternatives like RBAC and CMK that offer demonstrable control and auditability. To fully deliver on the promise of confidential computing and maintain customer trust, it is essential that confidential data disk encryption be prioritized and brought to General Availability as soon as possible.

Overview:
Confidential encryption binds the disk encryption keys to the virtual machine’s TPM (Trusted Platform Module) and makes the disk content accessible only to the VM. This is currently available for OS disks in GA. We also enabled confidential encryption of temp disks (in public preview) using in-VM symmetric key encryption technology, after the disk is attached to the confidential VM (CVM). Similarly, we need a robust long-term solution to assert that the customer’s data on data disks is always encrypted with the keys bound in the trusted environment, so the data can never be accessed by unauthorized Microsoft operators.

PM Contact
kartikg@microsoft.com

Engineer Contact
vimish@microsoft.com]</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: Compute PowerShell Pull Request Agent
Specialized agent for creating PowerShell pull requests based on a design request

  • Fixes Azure/azure-powershell-cmdlet-review-pr#1525

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 10, 2026

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

@haagha
Add SecurityEncryptionType and SecureVMDiskEncryptionSet parameters t…
b63fa3f 
…o Add-AzVMDataDisk for confidential VM data disk encryption

Co-authored-by: haagha <64601174+haagha@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Powershell support for confidential data disk encryption Add SecurityEncryptionType and SecureVMDiskEncryptionSet to Add-AzVMDataDisk for Confidential VM data disk encryption Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ookoka ookoka Awaiting requested review from ookoka ookoka will be requested when the pull request is marked ready for review ookoka is a code owner

@haagha haagha Awaiting requested review from haagha haagha will be requested when the pull request is marked ready for review haagha is a code owner

@audreyttt audreyttt Awaiting requested review from audreyttt audreyttt will be requested when the pull request is marked ready for review audreyttt is a code owner

@wyunchi-ms wyunchi-ms Awaiting requested review from wyunchi-ms wyunchi-ms will be requested when the pull request is marked ready for review wyunchi-ms is a code owner

@dolauli dolauli Awaiting requested review from dolauli dolauli will be requested when the pull request is marked ready for review dolauli is a code owner

@isra-fel isra-fel Awaiting requested review from isra-fel isra-fel will be requested when the pull request is marked ready for review isra-fel is a code owner

@VeryEarly VeryEarly Awaiting requested review from VeryEarly VeryEarly will be requested when the pull request is marked ready for review VeryEarly is a code owner

@YanaXu YanaXu Awaiting requested review from YanaXu YanaXu will be requested when the pull request is marked ready for review YanaXu is a code owner

@vidai-msft vidai-msft Awaiting requested review from vidai-msft vidai-msft will be requested when the pull request is marked ready for review vidai-msft is a code owner

@NoriZC NoriZC Awaiting requested review from NoriZC NoriZC will be requested when the pull request is marked ready for review NoriZC is a code owner

@notyashhh notyashhh Awaiting requested review from notyashhh notyashhh will be requested when the pull request is marked ready for review notyashhh is a code owner

@Pan-Qi Pan-Qi Awaiting requested review from Pan-Qi Pan-Qi will be requested when the pull request is marked ready for review Pan-Qi is a code owner

@DanielMicrosoft DanielMicrosoft Awaiting requested review from DanielMicrosoft DanielMicrosoft will be requested when the pull request is marked ready for review DanielMicrosoft is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@haagha haagha

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haagha