Creating and configuring a key vault for Azure Disk Encryption on a Windows VM - Azure Virtual Machines (2024)

Table of Contents
In this article Connect to your Azure account Create a resource group Azure CLI Azure PowerShell Create a key vault Azure CLI Azure PowerShell Resource Manager template Set key vault advanced access policies Azure CLI Azure PowerShell Azure portal Azure Disk Encryption and auto-rotation Set up a key encryption key (KEK) Azure CLI Azure PowerShell Next steps FAQs
  • Article

Applies to: ✔️ Windows VMs ✔️ Flexible scale sets

Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets. For more information about key vaults, see Get started with Azure Key Vault and Secure your key vault.

Warning

  • If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release) for details.

Creating and configuring a key vault for use with Azure Disk Encryption involves three steps:

Note

You must select the option in the Azure Key Vault access policy settings to enable access to Azure Disk Encryption for volume encryption. If you have enabled the firewall on the key vault, you must go to the Networking tab on the key vault and enable access to Microsoft Trusted Services.

  1. Creating a resource group, if needed.
  2. Creating a key vault.
  3. Setting key vault advanced access policies.

These steps are illustrated in the following quickstarts:

  • Create and encrypt a Windows VM with Azure CLI
  • Create and encrypt a Windows VM with Azure PowerShell

You may also, if you wish, generate or import a key encryption key (KEK).

The steps in this article can be completed with the Azure CLI, the Azure PowerShell Az module, or the Azure portal.

See Also
Server-side encryption of Azure managed disks - Azure Virtual MachinesTutorial: Secure a web server with TLS/SSL certificates - Azure Virtual MachinesHow to Install an SSL Certificate on Azure - SSL DragonAzure Disk Storage overview - Azure Virtual Machines

While the portal is accessible through your browser, Azure CLI and Azure PowerShell require local installation; see Azure Disk Encryption for Windows: Install tools for details.

Connect to your Azure account

Before using the Azure CLI or Azure PowerShell, you must first connect to your Azure subscription. You do so by Signing in with Azure CLI, Signing in with Azure PowerShell, or supplying your credentials to the Azure portal when prompted.

az login
Connect-AzAccount

Create a resource group

If you already have a resource group, you can skip to Create a key vault.

A resource group is a logical container into which Azure resources are deployed and managed.

Create a resource group using the az group create Azure CLI command, the New-AzResourceGroup Azure PowerShell command, or from the Azure portal.

  • Azure portal

Azure CLI

az group create --name "myResourceGroup" --location eastus

Azure PowerShell

New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"

Create a key vault

If you already have a key vault, you can skip to Set key vault advanced access policies.

Create a key vault using the az keyvault create Azure CLI command, the New-AzKeyvault Azure PowerShell command, the Azure portal, or a Resource Manager template.

Warning

To ensure that encryption secrets don't cross regional boundaries, you must create and use a key vault that's in the same region and tenant as the VMs to be encrypted.

Each Key Vault must have a unique name. Replace <your-unique-keyvault-name> with the name of your key vault in the following examples.

Azure CLI

When creating a key vault by using the Azure CLI, add the "--enabled-for-disk-encryption" flag.

az keyvault create --name "<your-unique-keyvault-name>" --resource-group "myResourceGroup" --location "eastus" --enabled-for-disk-encryption

Azure PowerShell

When creating a key vault using Azure PowerShell, add the "-EnabledForDiskEncryption" flag.

New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "eastus" -EnabledForDiskEncryption

Resource Manager template

You can also create a key vault by using the Resource Manager template.

  1. On the Azure Quickstart Template, click Deploy to Azure.
  2. Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then click Purchase.

Set key vault advanced access policies

Important

Newly-created key vaults have soft-delete on by default. If you are using a pre-existing key vault, you must enable soft-delete. See Azure Key Vault soft-delete overview.

See Also
Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines

The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes.

If you didn't enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies.

Azure CLI

Use az keyvault update to enable disk encryption for the key vault.

  • Enable Key Vault for disk encryption: Enabled-for-disk-encryption is required.

    az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-disk-encryption "true"

  • Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

    az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-deployment "true"

  • Enable Key Vault for template deployment, if needed: Allow Resource Manager to retrieve secrets from the vault.

    az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-template-deployment "true"

Azure PowerShell

Use the key vault PowerShell cmdlet Set-AzKeyVaultAccessPolicy to enable disk encryption for the key vault.

  • Enable Key Vault for disk encryption: EnabledForDiskEncryption is required for Azure Disk encryption.

    Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForDiskEncryption

  • Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

     Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForDeployment

  • Enable Key Vault for template deployment, if needed: Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

    Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForTemplateDeployment

Azure portal

  1. Select your key vault and go to Access Policies.

  2. Under "Enable Access to", select the box labeled Azure Disk Encryption for volume encryption.

  3. Select Azure Virtual Machines for deployment and/or Azure Resource Manager for template deployment, if needed.

  4. Click Save.

    Creating and configuring a key vault for Azure Disk Encryption on a Windows VM - Azure Virtual Machines (1)

Azure Disk Encryption and auto-rotation

Although Azure Key Vault now has key auto-rotation, it isn't currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated.

Rotating an encryption key won't break Azure Disk Encryption, but disabling the "old" encryption key (in other words, the key Azure Disk Encryption is still using) will.

Set up a key encryption key (KEK)

Important

The account running to enable disk encryption over the key vault must have "reader" permissions.

If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

You can generate a new KEK by using the Azure CLI az keyvault key create command, the Azure PowerShell Add-AzKeyVaultKey cmdlet, or the Azure portal. You must generate an RSA key type; Azure Disk Encryption doesn't currently support using Elliptic Curve keys.

You can instead import a KEK from your on-premises key management HSM. For more information, see Key Vault Documentation.

Your key vault KEK URLs must be versioned. Azure enforces this restriction of versioning. For valid secret and KEK URLs, see the following examples:

Azure CLI

Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.

az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096

You may instead import a private key by using the Azure CLI az keyvault key import command:

In either case, you supply the name of your KEK to the Azure CLI az vm encryption enable --key-encryption-key parameter.

az vm encryption enable -g "MyResourceGroup" --name "myVM" --disk-encryption-keyvault "<your-unique-keyvault-name>" --key-encryption-key "myKEK"

Azure PowerShell

Use the Azure PowerShell Add-AzKeyVaultKey cmdlet to generate a new KEK and store it in your key vault.

Add-AzKeyVaultKey -Name "myKEK" -VaultName "<your-unique-keyvault-name>" -Destination "HSM" -Size 4096

You may instead import a private key using the Azure PowerShell az keyvault key import command.

In either case, you will supply the ID of your KEK key Vault and the URL of your KEK to the Azure PowerShell Set-AzVMDiskEncryptionExtension -KeyEncryptionKeyVaultId and -KeyEncryptionKeyUrl parameters. This example assumes that you are using the same key vault for both the disk encryption key and the KEK.

$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup"$KEK = Get-AzKeyVaultKey -VaultName "<your-unique-keyvault-name>" -Name "myKEK"Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyUrl $KEK.Id -SkipVmBackup -VolumeType All

Next steps

Creating and configuring a key vault for Azure Disk Encryption on a Windows VM - Azure Virtual Machines (2024)

FAQs

How do I create a Disk Encryption key in Azure? ›

Under Encryption settings > Disks to encrypt, select OS and data disks. Under Encryption settings, choose Select a key vault and key for encryption. On the Select key from Azure Key Vault screen, select Create New. To the left of Key vault and key, select Click to select a key.

Read On
What type of encryption does Azure Disk Encryption provide for Azure Virtual Machines? ›

Azure Disk Encryption for Windows VMs uses the BitLocker feature of Windows to provide full disk encryption of the OS disk and data disks. Additionally, it provides encryption of the temporary disk when the VolumeType parameter is All.

Discover More Details
Can I use BitLocker on an Azure VM? ›

Azure Disk Encryption uses the BitLocker external key protector for Windows VMs. For domain joined VMs, don't push any group policies that enforce TPM protectors. For information about the group policy for "Allow BitLocker without a compatible TPM," see BitLocker Group Policy Reference.

Continue Reading
Can Azure key Vault generate keys? ›

The create key operation can be used to create any key type in Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

See Details
What is the difference between Azure Disk Encryption and encryption at host? ›

Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, aren't encrypted through Azure Storage.

Find Out More
What is the best practice of Azure Disk Encryption? ›

Best practice: Store certificates in your key vault. Your certificates are of high value. In the wrong hands, your application's security or the security of your data can be compromised. Detail: Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed.

Tell Me More
What is the Azure policy for Disk Encryption? ›

Azure Disk Encryption

There is no charge for encrypting virtual disks in Azure. Cryptographic keys are stored in Azure Key Vault using software-protection, or you can import or generate your keys in Hardware Security Modules (HSMs) certified to FIPS 140 validated standards.

Show Me More
How to Create secrets in Azure key Vault? ›

Navigate to your key vault in the Azure portal: On the Key Vault left-hand sidebar, select Objects then select Secrets. Select + Generate/Import.

Explore More
How do you Create a key in key vault? ›

Add a key to Key Vault

On the Key Vault properties pages, select Keys. Select Generate/Import. On the Create a key screen choose the following values: Options: Generate.

Continue Reading
How to check if Azure Disk Encryption is enabled? ›

Verify with the Azure CLI by using the az vm encryption show command. Verify with Azure PowerShell by using the Get-AzVmDiskEncryptionStatus cmdlet. Select the VM, then click on Disks under the Settings heading to verify encryption status in the portal. In the chart under Encryption, you'll see if it's enabled.

Show Me More

What is the disk limit for Azure virtual machine? ›

Using managed disks, you can create up to 50,000 VM disks of a type in a subscription per region, allowing you to create thousands of VMs in a single subscription.

Read The Full Story
How to encrypt existing VM? ›

Encrypting of a virtual machine

Right-click on the virtual machine and from the VM Policies menu choose Edit VM Storage Policies . From the VM Storage Policies drop-down menu, choose VM Encryption Policy and click OK .

See Details
What is encryption key in Azure? ›

Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.

Get More Info Here
Where are Azure encryption keys stored? ›

Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

Continue Reading
Top Articles
Does Paypal Credit Affect My Credit Score?
Units of Measurement - List, Chart, Length, Mass, Examples
Op 230 Sdsu
Pathfinder Kingmaker Paladin Build
Latest Posts
⛈️ Cloud with Lightning and Rain Emoji
YubiKey Technical Manual — YubiKey Technical Manual documentation
Article information

Author: Aron Pacocha

Last Updated:

Views: 6218

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.