This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 56.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I know when you create a CMK for vm encryption you create a KV that a DES policy will pull from. Thus, if I spin up / deploy 1,000 vm's that a particular DES, all 1,000 will have they same encryption key. I know you can create multiple KV/DES policies with different CMKs, etc.. But my questions is how are PMK handled in this scenario? For example, if I spin up / deploy 1,000 vm's just using the default SSE/PMK do all 1,000 get the same PMK or is there some algorithm that generates a unique key for each vm, for each set of 10 vm's, etc???
Thanks in advance
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Az Student Thank you for reaching out to Microsoft Q&A. I understand that you are having questions regarding PMK and if it can be used for multiple VMs.
It is possible that disks in the same subscription can share the same PMK. However, we don't share PMKs between different subscriptions unless you move the disks to another subscription yourself. Hope this answers your question.
Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
So, if I understand your statement...
MS doesn't share PMK's between subscriptions BUT a Key within a subscription KEYS "CAN" be shared. The last part of that statement is what I am trying to get clarity on.
for this discussion lets assume we only have a single subscription and have 1,000 vm. If I create 5 RG under that subscription and deploy 200 vm's to each RG, how many PMK's would be used for those 1,000 vm's? Will it be a single PMK for all vm's or will each vm have a unique KEY or is there some algorithm that says for every 10 or 100 vm's use Key A, the next 100 vm's use KEY B, etc...
OR
Say if a MS PMK, say KEY A was compromised, how many vm's would be effected by that compromise?
Thanks
We generate multiple keys for each subscription. Typically, we share a key with max 20 disks in a subscription.
Please let me know if you have more questions. I will happy to answer. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 35%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Had one additional follow up question, how often do the PMK get rotated? I see some that reference within a year but nothing concrete.