Last Updated on September 14, 2019 by Dishan M. Francis
Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). If it is a Windows machine, we can simply use BitLocker for disk encryption. Also, there are other third-party vendors such as Thales e-Security which provides disk encryption solutions for organizations.
Similar to on-premises Windows servers and computers, we can use BitLocker to encrypt Windows VM running on Azure. For Linux VMs, we can use DM-Crypt to encrypt virtual disks. More details about BitLocker is available on https://docs.microsoft.com/en-gb/windows/security/information-protection/bitlocker/bitlocker-overview. Azure VM encryption uses the Azure Key Vault to store encryption keys and secrets.
In this demo, I am going to demonstrate how to encrypt Azure VM using BitLocker. For the configuration process, I will be using PowerShell. Therefore, please make sure you have Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0
Setup Resource Group
The first step of the configuration is to create a new resource group.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,
New-AzResourceGroup -Name REBELRG1 -Location "East US"
In the above, REBELRG1 is the resource group name and East US is the resource group location.
Configure Azure Key Vault
Next, we need to create a new key vault and encryption key.
1. As the first step, let's go ahead and enable Azure Key Vault provider within the subscription by using,
Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"
2. Then, we go ahead with Azure Vault setup,
New-AzKeyVault -Location "East US" -ResourceGroupName REBELRG1 -VaultName REBELVMKV1 -EnabledForDiskEncryption
In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group which we created in the previous step. -EnabledForDiskEncryption is used to prepare the key vault to use with disk encryption.