While studying for the 70-533 exam I decided to take a deep dive in to the Disk encryption feature provided by Azure. Azure Disk Encryption uses BitLocker for Windows or DM-Crypt for Linux enabling users to encrypt OS and data disks of Azure Virtual Machines.
It turns out that it’s not just as simple as flicking a switch to get encryption up and running. The service is tied in with Azure Active Directory and Key Vault too. After manually running through the set up a few times I decided to put together a proof of concept script based on client-secret authentication. It’s worth noting that certificate-based authentication is also supported.
The high level steps are as follows:
- Create a Key Vault that is enabled for disk encryption
- Create an Azure Active Directory application and associated service principal
- Create a Key Vault access policy and grant the Azure AD application access
- Configure the VM Disk Encryption Extension
Once the script completes both OS and data disks should be enabled for encryption.
The official docs are pretty decent for getting started. I also referenced Sudhakar Evuri’s posts on disk encryption and PowerShell.