How to encrypt an Azure Virtual Machine

How to encrypt an Azure Virtual Machine

In this post, I will show you how you can easily encrypt an Azure Virtual, Machine.

Disks are encrypted by using cryptographic keys that are secured in an Azure Key Vault. You control these cryptographic keys and can audit their use.

Virtual disks on Windows VMs are encrypted at rest by using BitLocker. There’s no charge for encrypting virtual disks in Azure.

First thing we will have to do is to create a new Key Vault using the Azure Portal.

Click on + Create Resource

In the Marketplace search bar type: Key Vault

Click on Create to deploy key vault

Select your subscription, Resource Group and provide a name for the new Key Vault. Then click on Review + Create

Once you have reviewed your config and your validation passed, click Create.

Once the Vault creation is complete, open the newly created Key vault.

To encrypt the Azure Vm, we need to use key vault keys, to generate a new key. Navigate to Keys in Key Vault.

Ps. The key vault must be in the same region as the virtual machine.

Click on +Generate/Import to generate a new key for the Azure VM.

Provide a name for the key and encryption type as well as if the key should have an expiration date.

Once done click on + Create

To enable encryption on the Operating disk of the virtual machine, navigate to the virtual machine which you want to encrypt. Then click on Disks.

On the Disks page, you will notice that your disks is currently not encrypted.

To enable encryption, click on encryption on the top section of the page.

On the encryption page, select your disk.

Next click on “Select a key vault and key for encryption”

Select your key vault and newly created key.

Click on Save, to start the encryption process.

You will receive a warning that your virtual machine will be rebooted during the process. Please remember to save any work if this is a production vm.

Click yes to start the process.

Once the disk encryption is complete, you will notice on the Virtual Machine disk that the status has changed to encrypted.

You can also enable disk encryption using PowerShell.

To get started, connect to Azure

Connect-AzAccount 

Once you have a connection established, run the following script to enable encryption on your Azure Virtual Machine.

Ps. Note that you will have to change the following to fit your environment.

• ResourcegroupName
• VaultName
• VMName
• VaultKey

$keyVault = Get-AzKeyVault -VaultName "lazylabkeys" -ResourceGroupName "RSG-MSFT-SA-N-01";
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName "lazylabkeys" -Name "lazylab-cl01700").Key.kid;

Set-AzVMDiskEncryptionExtension -ResourceGroupName "RSG-MSFT-SA-N-CLIENT-MACHINES" `
    -VMName "lazylab-cl01" `
    -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
    -DiskEncryptionKeyVaultId $keyVaultResourceId `
    -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
    -KeyEncryptionKeyVaultId $keyVaultResourceId

You will receive a waring message that the virtual machine needs to be rebooted for the encryption process to start, type Y to start the process.

It will also take about 10 – 15 min for the encryption process to complete.

Once completed, you will see the success code is True. Meaning that the encryption was successful.

You can also run the following to verify if disk encryption has been enabled.

Get-AzVmDiskEncryptionStatus  -ResourceGroupName "RSG-MSFT-SA-N-CLIENT-MACHINES" -VMName "lazylab-cl01" 

And that’s how you can quickly enable disk encryption for your Azure virtual machines.

Sharing is caring!