Azure Kubernetes clusters are built with encryption enabled on all storage by default using Microsoft-managed keys. It is considered best practice to provide customer managed keys for encrypting data at rest. For more information on using customer managed keys in AKS, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys
The encryption profile of an AKS cluster cannot be changed once it has been created. A disk encryption set will need to be configured prior to use. To create new resources with the appropriate settings, follow the steps below.
In Azure Console -
For a disk encryption set:
To use the disk encryption set in AKS:
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id