Search the Petri IT Knowledgebase
search icon

close

Windows

Cloud

Microsoft 365

PowerShell

Active Directory

Security

Windows Server

Video

Microsoft Teams Day is back!

Register today!
Icon for Live Conference on December 8!

Live Conference on December 8!

GET-IT Microsoft Teams Conference

Icon for Live Webinar on Nov. 29th!

Live Webinar on Nov. 29th!

MVP Panel Talk: Do You Need to Backup Microsoft 36...

Icon for Live Webinar Coming Dec. 14th!

Live Webinar Coming Dec. 14th!

Recession Proof Your IT: How to Reduce IT Costs Wi...

Icon for New E-Book

New E-Book

Tracking Tasks in Microsoft 365

Home

Cloud Computing

How to Encrypt an Azure Virtual Machine

Russell Smith

 |

Feb 17, 2017

In today’s Ask the Admin, I’ll show you how to encrypt the OS disk of an Azure virtual machine (VM).

Microsoft recommends that you encrypt Azure VMs using its BitLocker technology that’s built into Windows. If you don’t, the Azure Security Center will alert you, and mark the issue as High Severity. For more information on Azure security, see Getting Started with the Azure Security Center on the Petri IT Knowledgebase.

 

 

Configure Encryption Prerequisites

Before you can encrypt VMs, there are a few prerequisites that need to be met, and Microsoft provides a script that creates the necessary Azure resources to enable VM encryption. A Key Vault is created if you don’t specify an existing Key Vault name. The Key Vault must be in the same region as the VMs to be encrypted. Additionally, an Azure Active Directory (AAD) application is required to write secrets to the Key Vault. Again, if you don’t specify the name of an existing AAD app, one will be created.

For more information on Azure Key Vault, see Using Azure Key Vault to Encrypt Data in the Cloud on Petri.

Before following the instructions below, make sure you have the latest version of Microsoft Azure PowerShell installed on your PC. You can download the latest release using the Web Platform Installer. You’ll also need a VM already provisioned in Azure.

  • Open Windows PowerShell ISE.
  • Open the prerequisites script here on GitHub.
  • In the browser window, click Raw to the top right of the code.
  • Copy the entire script from the browser window into the PowerShell ISE.
  • In PowerShell ISE, click CTRL+S to save to script.
  • In PowerShell ISE, press F5 to run the script.
  • Enter a name for a new or existing resource group (resourceGroupName), Key Vault (keyVaultName), location, and AAD app (aadAppName) when prompted.
  • Log in to Azure with an account that has administrative access to the tenant when prompted.
Run the encryption prerequisites script (Image Credit: Russell Smith)

Run the encryption prerequisites script (Image Credit: Russell Smith)

The script will now create the necessary resources if they don’t already exist. The output of the script provides some important values, which you should make a note of: aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId. You’ll need the values for these parameters later to run the Set-AzureRmVmDiskEncryptionExtension cmdlet.

  • Press ENTER when you’ve made a note of the values displayed in the output pane.

Encrypt the Azure Virtual Machine

Now let’s encrypt the VM.

  • In PowerShell ISE, press CTRL+N to open a new script tab.
  • Copy the code below into the new tab.
  • Change the values for the variables to suit your environment. $vmName is the name of the VM that you want to encrypt. $resourceGroupName is the name of the resource group in which the VM you want to encrypt resides. Note that the VM(s) you want to encrypt don’t need to be in the same resource group as the Key Vault and AAD app that you created in the instructions above.
  • The values for $aadClientID, $aadClientSecret, $diskEncryptionKeyVaultUrl, and $keyVaultResourceId were provided by the prerequisites script that we ran in the steps above.
$vmName = 'Petri' 
$resourceGroupName = 'Petri' 
$aadClientID = 'xxxxxxx' 
$aadClientSecret = 'xxxxxxxx' 
$diskEncryptionKeyVaultUrl = 'https://petriencrypt.vault.azure.net' 
$keyVaultResourceId = '/subscriptions/xxxxxxxx/resourceGroups/PetriEncrypt/providers/Microsoft.KeyVault/vaults/PetriEncrypt' 

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId
  • You’ll be prompted to confirm that you want to enable Azure Disk Encryption on the VM. Click Yes in the dialog box to confirm the operation, which can take up to 15 minutes to complete.
Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)

Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)

Once the operation is completed, we can check to see if the VM has been encrypted successfully.

  • Log in to the Azure portal here using an administrator account.
  • In the Azure management portal window, click Virtual machines in the list of options on the left. Then click the name of the encrypted VM in the Virtual machines pane.
  • Click Disks in the SETTINGS section.
  • Check if Encryption is Enabled in the Disks pane.
Check that the VM's OS disk has been encrypted (Image Credit: Russell Smith)

Check that the VM’s OS disk has been encrypted (Image Credit: Russell Smith)

In this article, I showed you how to encrypt the OS disk of an Azure virtual machine.

More from Russell Smith

Microsoft Teams

Free Microsoft Teams GET-IT Virtual Conference Dec 8
Apple iOS 16

This Week in IT - The UGLY Truth About the iPhone SE
Project Volterra

Windows on Arm - Does Project Volterra Solve the Performance Problem?

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

More in Cloud Computing

AWS (Amazon Web Services)

Here Are The Main Highlights From Amazon's AWS re:Invent 2022 Conference

Nov 30, 2022 | Michael Otey

Cloud Computing

What is ClickUp?

Nov 28, 2022 | Sukesh Mudrakola

Windows 11

How to Install Google Drive for Desktop (Install & Set Up)

Nov 23, 2022 | Rabia Noureen

AWS (Amazon Web Services)

Amazon Announces $4.4B Investment in India with New AWS Region

Nov 22, 2022 | Rabia Noureen

AWS (Amazon Web Services)

Amazon Launches AWS Resource Explorer With Unified Search Capabilities

Nov 18, 2022 | Michael Otey

Datacenter networking servers

Microsoft Partners with Nvidia to Build Azure-Powered AI Supercomputer

Nov 16, 2022 | Rabia Noureen

Most popular on petri

Article saved!

Access saved content from your profile page. View Saved

Reach out

Learn More

Sitemap

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy