Microsoft provides the ability to encrypt VMs VHD files. This can be achieved by the Azure Key Vault service. But, before we start, let’s find an explanation about Azure Key Vault and what it does.
Azure Key Vault is a vault that contains keys, secrets and it is hosted in the Azure Cloud.

Important Terms & Definitions

KEK – Key Encryption KeyA cryptographic key that is used to encrypt other keys for transmission or storage but not application data.  Source
Software KeysSoftwares keys are used basically in compute VMs and are most used from dev/test users.
HSM keys –  Hardware Security ModulesHSM keys are used for production environments and are available in Premium.
Service PrincipalIt’s a service account with specific privileges which allow running several tasks on Azure.
Application IDApplication ID in all case is the Client ID in Azure Active Directory.



Bellow are the Azure Disk Encryption Prerequisites :

Install-Module -Name AzureRM -Repository PSGallery -Force


Click here for more details.


Encrypt virtual machine disk from the Azure Portal

Create AAD Enterprise Application

From the Azure  Portal,  Azure Active DirectoryApp registrationsNew application registration.


Next, on the Create blade, type Name of the application, select Application type, set any Sign-on URL (it’s typical, it won’t be used) and click Create.

AAD Application is deployed and the next step is to create a Key. From SettingsKeys blade.


Type a DESCRIPTION, set the EXPIRES field value and click Save.

Important Notice: Copy the value because this value will not be available after the blade closes.


Create Key Vault

After the AAD Application is deployed, the next big thing is to create the Azure key vault.

First, search for {key vault} service and afterwards click the button Create key vault.
Type key vault Name, select Subscription, create Resource Group, and select a Location a Pricing tier (Standard for this scenario).

Create Key Vault Key

Next, create the Key Vault Key from the main Key vault blade, select SettingsKeys – +Generate/Import, type the Name and click Create.

Create New principal in Access Policies blade.

This is an important step because we add permission to the key vault for the newly registered diskencryption application. Firstly, expand key permissions and select Wrap Key value, next expand Secret permissions and select Set value. Since we chose the necessary permissions we need to add the AAD application to the key vault Access policies.


Key Vault Advanced Access Policies

From the main Key Vault blade select Access policies, click to {show advanced access policies} link  – check the option [Enable access to Azure Disk Encryption for volume encryption] and click Save.

Powershell Commands For Encryption

Right now the AzureRMVMDiskEncryption extension is not available from the Azure Portal so it is necessary to execute the following powershell script.

Important Notice: Prior to execution of any script, be sure that the disks are backed up!!!

The first stage was about AAD App registration, Azure Key Vault creation, and configuration. Now, we are ready to move forward to the next steps which are the Powershell command for disk encryption with BitLocker.
Before executing the Powershell script must be sure that know all the necessary variables which are :

$ResourceGroupName = 'Resource Group Name'
$vmName = 'Virtual Machine Name'
$AADApplicationID = 'Application ID'
$AADApplicationSecret = 'Application Secret'
$KeyVaultName = 'Key Vault Name'
$keyVaultKeyName = 'Key Vault Key Name'

$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName

$DiskEncryptionKeyVaultURI  = $KeyVault.VaultUri
$DiskKeyVaultResourceId = $KeyVault.ResourceId
$DiskkeyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $KeyVaultKeyName).Key.kid;

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName  -VMName $vmName `
                                             -AadClientID $AADApplicationID `
                                            -AadClientSecret $AADApplicationSecret `
                                            -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultURI `
                                            -DiskEncryptionKeyVaultId $DiskKeyVaultResourceId `
                                            -KeyEncryptionKeyUrl $DiskkeyEncryptionKeyUrl `
                                            -KeyEncryptionKeyVaultId $DiskKeyVaultResourceId `
                                            -VolumeType All


Encrypt virtual machine disk using Powershell Script

Also, there are many powershell scripts for Azure Disk Encryption, one of these scripts can be downloaded from github. The prerequisites for this script are:

  • Powershell Version 6.2.0 or higher
  • Azure.RM module
  • Parameters to execute the script
#Name of the resource group to which the KeyVault belongs to.

#Name of the KeyVault in which encryption keys are to be placed.

#Location of the KeyVault

#Name of the AAD application that will be used to write secrets to KeyVault.

#To encrypt one VM uncomment the line 214 and type the VM name
#$vmName = "Your VM Name";

The script creates automatically all the resources and encrypts the drive/s of the VM.


See Also :

Azure Disk Encryption for Windows and Linux IaaS VMs
Few words about Azure Key Vault


Share This