@ziesemer Thank you for your question! We will review and provide an update as appropriate.

reassign: @roygara

@roygara - Can you investigate?

Thanks. Please make special consideration for how this relates to various security & compliance requirements that require encryption here, for either data-at-rest and data-in-use (as this falls somewhere between the two). As-is, without being documented one way or another, this is becoming a particular sticking point...

@ziesemer Sure, in this case there is no SSE on the temp disk, we'll update the doc to reflect that. Although I believe you could enable encryption on it from the VM itself, if you really wanted encryption on it.

Could you also clarify if SSE applies to the NVMe storage on Lsv2-series virtual machines? This scenario is a grey area and appears to be undocumented.

Although I believe you could enable encryption on it from the VM itself, if you really wanted encryption on it.

I thought I had already replied to this - but could you please elaborate on how this would be done? As it is a non-persistent disk, adding BitLocker or such would not be guaranteed to remain. The best I can think of would be to handle this during a startup script - and am thinking of a number of considerations that would make this more difficult than it may first appear...

We're also interested in the question ziesemer asked above. Can we get some traction here? We've been attempting to answer this question for months now and have tried multiple avenues (multiple Azure support cases, Azure twitter, reddit, slack, etc.) and still can't reach a clear cut answer. I would hope that Azure engineers could answer this simple question.

reassign: msmbaldwin

hello Alex, from SSE perspective the answer is NO, SSE does not support encryption on the Temp drive due the nature of the ephimeral disk, this one is not part of the storage account, is a local drive attached to the VM.
From Azure Disk Encryption perspective, the ephimeral disk, sdb1 in linux OS, Temp Drive D: in Windows OS, will be encrypted,If the ephemeral drive is reset, it will be reformatted and re-encrypted for the VM by the Azure Disk Encryption solution at the next opportunity.
For Windows VMs this is by default and is not necessary to do something else, you just need to encrypt the VM using the parameter -volumetype "all".
For windows if you want to have encrypted the Temp drive sdb1, you ned encrypt the VM and adding the parameter EncryptFormatAll.
here is the proper documentation about this feature :
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-linux#use-encryptformatall-feature-for-data-disks-on-linux-vms

SSE does not apply to temporary disks. To clarify this, we have updated both the Encryption and the Temporary disk sections of the Managed Disk overview. Thank you! #please-close