Azure Disk Encryption helps to secure privacy and sovereignty of the data on VM or disks. The feature encrypts Windows and Linux IaaS Virtual Machine Disks, it applies BitLocker feature for Windows IaaS and DM-Crypt feature of Linux IaaS.
The feature would integrate with Azure Key Vault where it manages the disk encryption keys and secrets. Azure Disk Encryption encrypt all data on the Virtual Machine Disks are Encrypted at Rest. The Feature is necessary for satisfying many compliance guidelines, and it improves organisation data security.
Enable Disk Encryption on IaaS by using the ARM template.
- For new Windows VM use Encrypt New VM ARM template.
- For new RHEL Linux VM use Full Disk Encrypted RHEL .
- For existing or running Windows VM use Running Windows VM and Linux VM Azure Quickstart Templates .
If you are looking something else than try to find from Azure/ARM , Microsoft staff and community users keep the repository up-to-date.
The resource manager template would accept relevant parameter including keyVaultResourceID, keyVaultSecretUrl, keyVaultKekUrl.
Using PowerShell Cmdlets
You can enable disk encryption using following parameters with azure vm create or azure vm enable-disk-encryption command,
--disk-encryption-key-vault-id <disk-encryption-key-vault-id> //The OS disk encryption key vault ID.
--disk-encryption-key-url <disk-encryption-key-url> //The OS disk encryption key secret URL.
--key-encryption-key-vault-id <key-encryption-key-vault-id> //The vault reference Url for the OS disk encryption key.
--key-encryption-key-url <key-encryption-key-url> //The Url of the master key used to encrypt the OS disk encryption key.Azure Advisor, Azure Security Center, Azure Portal or PowerShell Cmdlet would provide you detail report regarding Disk Encryption Status.
azure vm show-disk-encryption-status --resource-group NilayCorRG**** --name HelloWroldVM*** --jsonNotes
- Azure KeyVault policy flag
EnabledForDiskEncryptionmust settrue, flag applies for any key used for Azure Disk Encryption. - The article assumes that all appropriate KeyVault configuration and Azure AD permissions are in place.
- For detail guide, please refer up-to-date Microsoft Documentation