Protecting your Azure virtual machine with Disk Encryption

The ultimate objective of security was to protect data from any authorized access. Confidentiality should emphasize similarly. Controlling access to virtual machine and data sometimes does not work. Through a local attack, an attacker might have your disk where data is stored. In this situation, adding an extra protection layer by encrypting your disk is always a recommended best practice.

If you want to learn advanced Azure IaaS Defense in Depth with lot of hands-on labs to practice, go pre-order my upcoming book here

Azure Disk Encryption allows you to encrypt disk in virtual machine. During the encryption, disk-encryption key is stored in Azure Key Vault which is required for decryption. To successfully gain data inside your disk, an attacker must have not only data disk but also secret key to decrypt. Without the key, the attacker cannot mount the disk into his hypervisor host for further analysis. Your virtual machines are encrypted at rest in the storage account.

Azure Disk Encryption leverages BitLocker encryption technology on Windows and DM-Crypt on Linux.

Lab: Encrypting Azure virtual machine disk

This lab is going to walk you through steps to enable Disk Encryption. Perform the following steps to complete the lab:

Step 1: Log into the Azure Management Portal ( using your administrator account.

Step 2: From the left panel, click Azure Key Vault. If it has not been added yet, click More services and search for Key vaults.

Step 3: On the Key vaults blade, click Add.

Step 4: On the Create Key Vault blade, enter name of the new key vault under Name

Step 5: Select your subscription under Subscription

Step 6: Select Use existing under Resource Group setting. Select did-infra-rg from the drop-down list. did-infra-rg is the resource group which I created before purposely for grouping all Azure components related to network infrastructure (e.g. virtual network, application gateway…).

Step 7: Select your location under Location.

Step 8:Keep Pricing tier setting by default with Standard

Step 9: Click Access policies to specify who to manage key vault.

Step 10: On the Access policies blade, choose the user you want.

Step 11: On the permission blade, select Key, secret, & Certificate Management under Configure from template (optional)

Step 12: Click OK.

Step 13: Click Advanced access policy On the Advanced access policy blade, select three options.

Step 14: Click OK.

Step 15: Click Create.

Step 16: Wait a few minutes until the creation process is completed.

Step 17:Open PowerShell ISE and run Login-AzureRM to log into your Azure. You are prompted to provide Azure subscription account.

Step 18: Make sure PowerShell returns your Azure information before you move on.

Step 19: Open the Azure Disk Encryption Prerequisite file provided by Microsoft from here. Copy the code and paste into PowerShell ISE.

Step 20: The PowerShell asks you several information including key vault information you created from the beginning.

Step 21: Copy addClientID, addClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId from the PowerShell screen into a NotePad file before you press Enter.

Step 22: Copy the following PowerShell code snipping with correct value you copied, including virtual machine name and resource group that the virtual machine you need to encrypt its disks.

$vmName = 'did-ad-vm'
$resourceGroupName = 'did-ad-rg'
$aadClientID = '9fc8a638-a495-43e9-b951-aa7b9109836c'
$aadClientSecret = '045d7535-3c58-4c28-acd9-064a12f09134'
$diskEncryptionKeyVaultUrl = ''
$keyVaultResourceId = '/subscriptions/2dd8cb59-ed12-4755-a2bc-356c212fbafc/resourceGroups/did-infra-rg/providers/Microsoft.KeyVault/vaults/did-keyvault'

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId

Step 23: You are asked to confirm to encrypt the disk on the target virtual machine. Click Yes

Step 24: Wait around 10-15 minutes until the encryption process is completed.

Step 25: You can verify by checking encryption status in DISK ENCRYPTION

Now you have completed this lab.

Additional references

Here are some additional references that might be helpful:

This entry was posted in Host Protection and tagged . Bookmark the permalink.

1 Response to Protecting your Azure virtual machine with Disk Encryption

  1. Pingback: Azure Disk Encryption for Windows VM - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

Leave a Reply

Your email address will not be published.