by

Encrypting Virtual Machine

Hi,

This is the continuation of Azure Learning Series. In this section, we will cover encryption of virtual machines. Having said that, let’s get started.

  • File in azure storage account are by default encrypted using secure storage encryption.
  • But, once you able to see storage with .vhd account, that is not encrypted.
  • You can use bitlocker in order to encrypt virtual disk within azure.
  • Cryptography key for this is going to be stored in azure key vault.
  • Therefore, first thing we need to create is key vault from market place in azure.

1st

While creating make sure to check the checkbox against virtual machine encryption. I checked all here.

2nd

3rd

4th

5th

6th

We have created our key vault. Keep in mind that inorder to encrypt VM, your key-vault and VM should be in same region. Now, let’s go ahead and click on the key link as shown on the left menu.

image

  • Click on Generate/Import button.

image

  • Here, I have just used all the default values.

image

  • Once key is created, we can now use it encrypt virtual machine. One point to note here, that you can only apply encryption to standard and above means DS1. Below, I have my VM in place.

image

  • Currently, this VM is not encrypted. Now, you can click on disks as highlighted above.

image

  • You can see above, that encryption is not enabled.
  • To enable encryption on this disk, we can either do it with UI or with powershell.
  • Let’s do it with UI option with the name Encryption

image

  • Here, I am going to encrypt OS disk. You can encrypt both if you want. But for data, you need to mount data disk before mounting.

image

  • Next select the vault like shown below.

image

image

image

  • Say yes and continue. At the notification center, you can see that its enabling encryption.

image

  • It may get encrypted or you may get error as well. Incase you get error, try with powershell script as well.
  • For that, I will open cloud shell embedded in azure portal itself like shown below. In case, if you are configuring powershell for the first time, you need to mount storage for that as well like shown below. If

image

  • For quick reference, you can use this doc https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-cli-quickstart as well.
  • I have modified the command with my key-vault and resource group. az vm encryption enable -g “az300” –name “azvmdemo” –disk-encryption-keyvault “rahul-Key-Vault”

image – In order to get the confirmation, execute az vm show –name “azvmdemo” -g “az300”. – This should show “EncryptionOperation”: “EnableEncryption” as well.

image

  • This means, VM is successfully encrypted. We can verify the same from UI as well like shown below.

image

With this, we have completed VM encryption module.

Thanks,
Rahul Sahay
Happy Coding