
close
close
In today’s Ask the Admin, I’ll show you how to encrypt the OS disk of an Azure virtual machine (VM).
advertisment
Microsoft recommends that you encrypt Azure VMs using its BitLocker technology that’s built into Windows. If you don’t, the Azure Security Center will alert you, and mark the issue as High Severity. For more information on Azure security, see Getting Started with the Azure Security Center on the Petri IT Knowledgebase.
Before you can encrypt VMs, there are a few prerequisites that need to be met, and Microsoft provides a script that creates the necessary Azure resources to enable VM encryption. A Key Vault is created if you don’t specify an existing Key Vault name. The Key Vault must be in the same region as the VMs to be encrypted. Additionally, an Azure Active Directory (AAD) application is required to write secrets to the Key Vault. Again, if you don’t specify the name of an existing AAD app, one will be created.
advertisment
For more information on Azure Key Vault, see Using Azure Key Vault to Encrypt Data in the Cloud on Petri.
Before following the instructions below, make sure you have the latest version of Microsoft Azure PowerShell installed on your PC. You can download the latest release using the Web Platform Installer. You’ll also need a VM already provisioned in Azure.
Run the encryption prerequisites script (Image Credit: Russell Smith)
The script will now create the necessary resources if they don’t already exist. The output of the script provides some important values, which you should make a note of: aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId. You’ll need the values for these parameters later to run the Set-AzureRmVmDiskEncryptionExtension cmdlet.
Now let’s encrypt the VM.
advertisment
$vmName = 'Petri' $resourceGroupName = 'Petri' $aadClientID = 'xxxxxxx' $aadClientSecret = 'xxxxxxxx' $diskEncryptionKeyVaultUrl = 'https://petriencrypt.vault.azure.net' $keyVaultResourceId = '/subscriptions/xxxxxxxx/resourceGroups/PetriEncrypt/providers/Microsoft.KeyVault/vaults/PetriEncrypt' Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId
Encrypt an Azure VM using PowerShell (Image Credit: Russell Smith)
Once the operation is completed, we can check to see if the VM has been encrypted successfully.
Check that the VM’s OS disk has been encrypted (Image Credit: Russell Smith)
In this article, I showed you how to encrypt the OS disk of an Azure virtual machine.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Cloud Computing
Build 2022: Microsoft Introduces New Dev Box Cloud PC Service for Developers
May 24, 2022 | Rabia Noureen
Use Azure ExpressRoute Private Peering & Azure Virtual WAN to Connect Privately to Microsoft 365
Apr 21, 2022 | Flo Fox
Microsoft to Make Changes to Cloud Licensing Restrictions after Customer Complaints
Apr 18, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group