Search the Petri IT Knowledgebase

The Unofficial M365 Changelog

Sponsors

Podcasts

Learning Center
search icon

close

Icon for Latest Whitepaper

Latest Whitepaper

Choosing an MFA Solution for Your Active Directory Environment? Ask These 15 Questions.
Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your Active Directory
Icon for Upcoming Conference

Upcoming Conference

GET-IT Microsoft Cloud Security and Compliance 1-Day Virtual Conference
Icon for Ebook

Ebook

The Forrester New Wave™: SaaS Application Data Protection, Q4 2021

Home

Cloud Computing

How to Encrypt an Azure Virtual Machine

Author avatar - Russell Smith

Russell Smith

 |

Feb 17, 2017

In today’s Ask the Admin, I’ll show you how to encrypt the OS disk of an Azure virtual machine (VM).

advertisment

Microsoft recommends that you encrypt Azure VMs using its BitLocker technology that’s built into Windows. If you don’t, the Azure Security Center will alert you, and mark the issue as High Severity. For more information on Azure security, see Getting Started with the Azure Security Center on the Petri IT Knowledgebase.

 

 

Configure Encryption Prerequisites

Before you can encrypt VMs, there are a few prerequisites that need to be met, and Microsoft provides a script that creates the necessary Azure resources to enable VM encryption. A Key Vault is created if you don’t specify an existing Key Vault name. The Key Vault must be in the same region as the VMs to be encrypted. Additionally, an Azure Active Directory (AAD) application is required to write secrets to the Key Vault. Again, if you don’t specify the name of an existing AAD app, one will be created.

advertisment

For more information on Azure Key Vault, see Using Azure Key Vault to Encrypt Data in the Cloud on Petri.

Before following the instructions below, make sure you have the latest version of Microsoft Azure PowerShell installed on your PC. You can download the latest release using the Web Platform Installer. You’ll also need a VM already provisioned in Azure.

  • Open Windows PowerShell ISE.
  • Open the prerequisites script here on GitHub.
  • In the browser window, click Raw to the top right of the code.
  • Copy the entire script from the browser window into the PowerShell ISE.
  • In PowerShell ISE, click CTRL+S to save to script.
  • In PowerShell ISE, press F5 to run the script.
  • Enter a name for a new or existing resource group (resourceGroupName), Key Vault (keyVaultName), location, and AAD app (aadAppName) when prompted.
  • Log in to Azure with an account that has administrative access to the tenant when prompted.
Run the encryption prerequisites script (Image Credit: Russell Smith)

Run the encryption prerequisites script (Image Credit: Russell Smith)

The script will now create the necessary resources if they don’t already exist. The output of the script provides some important values, which you should make a note of: aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId. You’ll need the values for these parameters later to run the Set-AzureRmVmDiskEncryptionExtension cmdlet.

  • Press ENTER when you’ve made a note of the values displayed in the output pane.

Encrypt the Azure Virtual Machine

Now let’s encrypt the VM.

advertisment

  • In PowerShell ISE, press CTRL+N to open a new script tab.
  • Copy the code below into the new tab.
  • Change the values for the variables to suit your environment. $vmName is the name of the VM that you want to encrypt. $resourceGroupName is the name of the resource group in which the VM you want to encrypt resides. Note that the VM(s) you want to encrypt don’t need to be in the same resource group as the Key Vault and AAD app that you created in the instructions above.
  • The values for $aadClientID, $aadClientSecret, $diskEncryptionKeyVaultUrl, and $keyVaultResourceId were provided by the prerequisites script that we ran in the steps above.
$vmName = 'Petri' 
$resourceGroupName = 'Petri' 
$aadClientID = 'xxxxxxx' 
$aadClientSecret = 'xxxxxxxx' 
$diskEncryptionKeyVaultUrl = 'https://petriencrypt.vault.azure.net' 
$keyVaultResourceId = '/subscriptions/xxxxxxxx/resourceGroups/PetriEncrypt/providers/Microsoft.KeyVault/vaults/PetriEncrypt' 

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId
  • You’ll be prompted to confirm that you want to enable Azure Disk Encryption on the VM. Click Yes in the dialog box to confirm the operation, which can take up to 15 minutes to complete.
Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)

Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)

Once the operation is completed, we can check to see if the VM has been encrypted successfully.

  • Log in to the Azure portal here using an administrator account.
  • In the Azure management portal window, click Virtual machines in the list of options on the left. Then click the name of the encrypted VM in the Virtual machines pane.
  • Click Disks in the SETTINGS section.
  • Check if Encryption is Enabled in the Disks pane.
Check that the VM's OS disk has been encrypted (Image Credit: Russell Smith)

Check that the VM’s OS disk has been encrypted (Image Credit: Russell Smith)

In this article, I showed you how to encrypt the OS disk of an Azure virtual machine.

More from Russell Smith

TWiIT ep20

Windows 11 Approved for Broad Deployment and 'One Outlook' Drops for Insiders
This Week in IT Ep 19

Microsoft Takes on Rival Calendly with Outlook Bookings - Plus the Latest IT News Updates
Vertical tabs in Edge and Chrome

Find Open Tabs Faster in Chrome and Edge! - Plus IT News Update and Petri Spotlight

advertisment

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

advertisment

More in Cloud Computing

Cloud Computing

Build 2022: Microsoft Introduces New Dev Box Cloud PC Service for Developers

May 24, 2022 | Rabia Noureen

AWS (Amazon Web Services)

Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot

May 24, 2022 | Michael Otey

AWS (Amazon Web Services)

AWS Snow Family Now Supports Remote Monitoring and Operations

May 9, 2022 | Michael Otey

Cloud Computing and Security

Use Azure ExpressRoute Private Peering & Azure Virtual WAN to Connect Privately to Microsoft 365

Apr 21, 2022 | Flo Fox

Cloud Computing

Microsoft to Make Changes to Cloud Licensing Restrictions after Customer Complaints

Apr 18, 2022 | Rabia Noureen

Cloud Computing

Reviewing Your Backup Checklist

Apr 8, 2022 | Michael Otey

Most popular on petri

Log in to save content to your profile.

Login

Sign Up

Username/Email

Password

Forgot Password?

Login

Article saved!

Access saved content from your profile page. View Saved

Reach out

Contact Us

Advertising

About Us

Media Kit

Learn More

Podcasts

Learning Center

Webinars

Sitemap

Windows

Cloud

Office 365

Servers

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy