Last Update: Sep 04, 2024 | Published: Feb 17, 2017
In today’s Ask the Admin, I’ll show you how to encrypt the OS disk of an Azure virtual machine (VM).
Microsoft recommends that you encrypt Azure VMs using its BitLocker technology that’s built into Windows. If you don’t, the Azure Security Center will alert you, and mark the issue as High Severity. For more information on Azure security, see Getting Started with the Azure Security Center on the Petri IT Knowledgebase.
Before you can encrypt VMs, there are a few prerequisites that need to be met, and Microsoft provides a script that creates the necessary Azure resources to enable VM encryption. A Key Vault is created if you don’t specify an existing Key Vault name. The Key Vault must be in the same region as the VMs to be encrypted. Additionally, an Azure Active Directory (AAD) application is required to write secrets to the Key Vault. Again, if you don’t specify the name of an existing AAD app, one will be created.
For more information on Azure Key Vault, see Using Azure Key Vault to Encrypt Data in the Cloud on Petri.
Before following the instructions below, make sure you have the latest version of Microsoft Azure PowerShell installed on your PC. You can download the latest release using the Web Platform Installer. You’ll also need a VM already provisioned in Azure.
The script will now create the necessary resources if they don’t already exist. The output of the script provides some important values, which you should make a note of: aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId. You’ll need the values for these parameters later to run the Set-AzureRmVmDiskEncryptionExtension cmdlet.
Now let’s encrypt the VM.
$vmName = 'Petri' $resourceGroupName = 'Petri' $aadClientID = 'xxxxxxx' $aadClientSecret = 'xxxxxxxx' $diskEncryptionKeyVaultUrl = 'https://petriencrypt.vault.azure.net' $keyVaultResourceId = '/subscriptions/xxxxxxxx/resourceGroups/PetriEncrypt/providers/Microsoft.KeyVault/vaults/PetriEncrypt' Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId
Once the operation is completed, we can check to see if the VM has been encrypted successfully.
In this article, I showed you how to encrypt the OS disk of an Azure virtual machine.