Automating Azure Disk Encryption with PowerShell

While studying for the 70-533 exam I decided to take a deep dive in to the Disk encryption feature provided by Azure. Azure Disk Encryption uses BitLocker for Windows or DM-Crypt for Linux enabling users to encrypt OS and data disks of Azure Virtual Machines.

It turns out that it’s not just as simple as flicking a switch to get encryption up and running. The service is tied in with Azure Active Directory and Key Vault too. After manually running through the set up a few times I¬†decided to put together a proof of concept script based on client-secret authentication. It’s worth noting that certificate-based authentication is also supported.

The high level steps are as follows:

  • Create a Key Vault that is enabled for disk encryption
  • Create an Azure Active Directory application and associated service principal
  • Create a Key Vault access policy¬†and grant the Azure AD application access
  • Configure the VM Disk Encryption Extension

Once the script completes both OS and data disks should be enabled for encryption.

Azure Disk Encryption


The official docs are pretty decent for getting started. I also referenced Sudhakar Evuri’s posts on disk encryption and PowerShell.

2 thoughts on “Automating Azure Disk Encryption with PowerShell

  1. Pingback: Automating Azure Disk Encryption with PowerShell - How to Code .NET

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.