How to Encrypt an Azure Virtual Machine

Microsoft Azure cloud hero

In today’s Ask the Admin, I’ll show you how to encrypt the OS disk of an Azure virtual machine (VM).

Microsoft recommends that you encrypt Azure VMs using its BitLocker technology that’s built into Windows. If you don’t, the Azure Security Center will alert you, and mark the issue as High Severity. For more information on Azure security, see Getting Started with the Azure Security Center on the Petri IT Knowledgebase.



Configure Encryption Prerequisites

Before you can encrypt VMs, there are a few prerequisites that need to be met, and Microsoft provides a script that creates the necessary Azure resources to enable VM encryption. A Key Vault is created if you don’t specify an existing Key Vault name. The Key Vault must be in the same region as the VMs to be encrypted. Additionally, an Azure Active Directory (AAD) application is required to write secrets to the Key Vault. Again, if you don’t specify the name of an existing AAD app, one will be created.

For more information on Azure Key Vault, see Using Azure Key Vault to Encrypt Data in the Cloud on Petri.

Before following the instructions below, make sure you have the latest version of Microsoft Azure PowerShell installed on your PC. You can download the latest release using the Web Platform Installer. You’ll also need a VM already provisioned in Azure.

  • Open Windows PowerShell ISE.
  • Open the prerequisites script here on GitHub.
  • In the browser window, click Raw to the top right of the code.
  • Copy the entire script from the browser window into the PowerShell ISE.
  • In PowerShell ISE, click CTRL+S to save to script.
  • In PowerShell ISE, press F5 to run the script.
  • Enter a name for a new or existing resource group (resourceGroupName), Key Vault (keyVaultName), location, and AAD app (aadAppName) when prompted.
  • Log in to Azure with an account that has administrative access to the tenant when prompted.
Run the encryption prerequisites script (Image Credit: Russell Smith)
Run the encryption prerequisites script (Image Credit: Russell Smith)

The script will now create the necessary resources if they don’t already exist. The output of the script provides some important values, which you should make a note of: aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId. You’ll need the values for these parameters later to run the Set-AzureRmVmDiskEncryptionExtension cmdlet.

  • Press ENTER when you’ve made a note of the values displayed in the output pane.

Encrypt the Azure Virtual Machine

Now let’s encrypt the VM.

  • In PowerShell ISE, press CTRL+N to open a new script tab.
  • Copy the code below into the new tab.
  • Change the values for the variables to suit your environment. $vmName is the name of the VM that you want to encrypt. $resourceGroupName is the name of the resource group in which the VM you want to encrypt resides. Note that the VM(s) you want to encrypt don’t need to be in the same resource group as the Key Vault and AAD app that you created in the instructions above.
  • The values for $aadClientID, $aadClientSecret, $diskEncryptionKeyVaultUrl, and $keyVaultResourceId were provided by the prerequisites script that we ran in the steps above.
$vmName = 'Petri' 
$resourceGroupName = 'Petri' 
$aadClientID = 'xxxxxxx' 
$aadClientSecret = 'xxxxxxxx' 
$diskEncryptionKeyVaultUrl = '' 
$keyVaultResourceId = '/subscriptions/xxxxxxxx/resourceGroups/PetriEncrypt/providers/Microsoft.KeyVault/vaults/PetriEncrypt' 

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId
  • You’ll be prompted to confirm that you want to enable Azure Disk Encryption on the VM. Click Yes in the dialog box to confirm the operation, which can take up to 15 minutes to complete.
Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)
Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)

Once the operation is completed, we can check to see if the VM has been encrypted successfully.

  • Log in to the Azure portal here using an administrator account.
  • In the Azure management portal window, click Virtual machines in the list of options on the left. Then click the name of the encrypted VM in the Virtual machines pane.
  • Click Disks in the SETTINGS section.
  • Check if Encryption is Enabled in the Disks pane.
Check that the VM's OS disk has been encrypted (Image Credit: Russell Smith)
Check that the VM’s OS disk has been encrypted (Image Credit: Russell Smith)

In this article, I showed you how to encrypt the OS disk of an Azure virtual machine.