IT and Virtualization Consultant. Romain is specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.
IT and Virtualization Consultant. Romain is specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.
When you deploy virtual machines in Microsoft Azure, they come without Bitlocker enabled. That can be a problem regarding your corporate security policy. To encrypt your Windows Azure VM (or Linux with DM-Crypt), we can leverage Azure Disk Encryption (ADE). ADE provides volume encryption of Azure VM through Bitlocker or DM-Crypt.
Because there is no TPM, ADE requires a secret to encrypt data. This secret comes from Azure Key Vault which is a cloud service for securely storing and accessing secrets. To protect this secret, you can generate a key from Azure Key Vault. You can also bring your own key via your own HSM device. In this topic we’ll see how to configure both services to encrypt a Windows Azure VM.
N.B: In this topic you will see that all the configuration is easy. However, I recommend you take your time to configure Azure Key Vault especially the key part. All the security is based on the key, and I heavily recommend you to bring your own key.
Configure Azure Key Vault
First, we need to set up Azure Key Vault to allow access to Azure Disk Encryption. To do so, navigate to your Azure Key Vault and select Access Policies.
In Access Policies, be sure that Azure Disk Encryption for volume encryption is enabled.
Next, we need a key. For that navigate to Keys in Azure Key Vault. Select Generate / Import.
In this menu you have two options: either you generate a key that will be known by Microsoft, or you can import your own key that is known only by your corporation. For sensitive information, I recommend importing your own key.
For this example, I generate a key. In the documentation (Enable Azure Disk Encryption for Windows VMs – Azure Virtual Machines | Microsoft Docs), Microsoft indicates that the key should be RSA 2048 bits.
At this point, Azure Key Vault is configured for ADE.
Enable Azure Disk Encryption
To enable Azure Disk Encryption, your Azure VM must be power on. Navigate to your Azure VM, then select Disks. Next select Additional settings.
In additional settings, select the disk you want to encrypt and then select the key vault, the key and the version.
As soon as you click on OK in Azure Disk Encryption settings, Bitlocker is enabled in the Azure VM and the disk is encrypting.
FAQs
To enable Azure Disk Encryption, your Azure VM must be power on. Navigate to your Azure VM, then select Disks. Next select Additional settings. In additional settings, select the disk you want to encrypt and then select the key vault, the key and the version.
How to enable Azure Disk Encryption on existing VM? ›
Encrypt the virtual machine
- When the VM deployment is complete, select Go to resource.
- On the left-hand sidebar, select Disks.
- On the top bar, select Additional Settings .
- Under Encryption settings > Disks to encrypt, select OS and data disks.
- Under Encryption settings, choose Select a key vault and key for encryption.
It uses the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. Azure Disk Encryption is zone resilient, the same way as Virtual Machines.
Are Azure virtual machine disks automatically encrypted? ›
Azure Disk Storage Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption) is always enabled and automatically encrypts data stored on Azure managed disks (OS and data disks) when persisting on the Storage Clusters.
Which of the following is required to enable Azure Disk Encryption? ›
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription.
How do I enable encryption on my virtual machine? ›
Select Window > Virtual Machine Library. Select a virtual machine in the Virtual Machine Library window and click Settings. Under Other in the Settings window, click Encryption. Choose appropriate encryption option and set the encryption password.
How to encrypt existing VM? ›
Encrypting of a virtual machine
Right-click on the virtual machine and from the VM Policies menu choose Edit VM Storage Policies . From the VM Storage Policies drop-down menu, choose VM Encryption Policy and click OK .
How to check if Azure Disk Encryption is enabled? ›
Verify with the Azure CLI by using the az vm encryption show command. Verify with Azure PowerShell by using the Get-AzVmDiskEncryptionStatus cmdlet. Select the VM, then click on Disks under the Settings heading to verify encryption status in the portal. In the chart under Encryption, you'll see if it's enabled.
How do I encrypt my Azure virtual machine? ›
Encrypt the virtual machine
- When the VM deployment is complete, select Go to resource.
- On the left-hand sidebar, select Disks.
- On the top bar, select Additional Settings .
- Under Encryption settings > Disks to encrypt, select OS and data disks.
- Under Encryption settings, choose Select a key vault and key for encryption.
Remove the encryption extension
- Disable disk encryption with Azure PowerShell: To remove the encryption, use the Remove-AzVMDiskEncryptionExtension cmdlet. Azure PowerShell Copy. Open Cloud Shell. ...
- Disable encryption with the Azure CLI: To remove encryption, use the az vm extension delete command. Azure CLI Copy.
Then, in vCenter, in the VM's "Virtual Machine Details" pane, it says "Encrypted with native key provider". It also shows a small lock icon which, when I hover the mouse-pointer over it, it displays "VM configuration files are encrypted.".
What is the difference between Azure Disk Encryption and encryption at host? ›
Azure Storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud. Disks with encryption at host enabled, however, aren't encrypted through Azure Storage.
What is the Azure policy for Disk Encryption? ›
Azure Disk Encryption
There is no charge for encrypting virtual disks in Azure. Cryptographic keys are stored in Azure Key Vault using software-protection, or you can import or generate your keys in Hardware Security Modules (HSMs) certified to FIPS 140 validated standards.
Is Azure Disk Encryption enabled by default? ›
If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default.
Is Azure storage encryption enabled by default? ›
Data in a new storage account is encrypted with Microsoft-managed keys by default. You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. If you choose to manage encryption with your own keys, you have two options.
Is Azure storage encryption enabled by default and Cannot be disabled? ›
By default, all data stored in Azure storage accounts are encrypted at rest. This is done transparently at the storage service layer using a 256-bit AES Encryption key. The service and key usage is FIPS 140-2 compliant. As per the documentation this encryption is enabled automatically and cannot be disabled.
How can you enable EBS encryption for existing volumes? ›
How to encrypt an existing EBS volume
- Select your unencrypted volume.
- Select 'Actions' – 'Create Snapshot'
- When the snapshot is complete, select 'Snapshots' under 'Elastic Block Store' Select your newly created snapshot.
- Select 'Actions' – 'Copy'
- Check the box for 'Encryption'
- Select the CMK for KMS to use as required.
Log into the Azure portal, and from the left menu, select App Services, then the app name. From the app's navigation menu, go to TLS/SSL settings > Private Key Certificates(. pfx) > Upload Certificate. In the PFX Certificate File section, choose your PFX file.
