Automating Azure Disk Encryption with PowerShell

• Craig

While studying for the 70-533 exam I decided to take a deep dive in to the Disk encryption feature provided by Azure. Azure Disk Encryption uses BitLocker for Windows or DM-Crypt for Linux enabling users to encrypt OS and data disks of Azure Virtual Machines.

It turns out that it’s not just as simple as flicking a switch to get encryption up and running. The service is tied in with Azure Active Directory and Key Vault too. After manually running through the set up a few times I decided to put together a proof of concept script based on client-secret authentication. It’s worth noting that certificate-based authentication is also supported.

The high level steps are as follows:

  • Create a Key Vault that is enabled for disk encryption
  • Create an Azure Active Directory application and associated service principal
  • Create a Key Vault access policy and grant the Azure AD application access
  • Configure the VM Disk Encryption Extension

Once the script completes both OS and data disks should be enabled for encryption.



The official docs are pretty decent for getting started. I also referenced Sudhakar Evuri’s posts on disk encryption and PowerShell.