Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks of Azure virtual machines by using the DM-Crypt feature in Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. In this post, I want to show you how to encrypt the system volume of an existing Windows virtual machine using PowerShell.
Azure PowerShell Workaround
1 2 3 | Connect-AzAccount |
1 2 3 4 | Get-AzSubscription Select-AzSubscription -Subscription "My Subscription" |
Set the variables
1 2 3 4 5 6 | $resourceGroupName = "RG-DEMO-NE" $location = "northeurope" $vmName = "VM-DEMO-NE-001" $keyVaultName = "KV-DEMO-NE" |
Azure Key Vault Access Policy
As I mentioned before, ADE requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your Key Vault must have the option for disk encryption enabled. To find out if your Key vault already meets this requirement, you should run the following command.
1 2 3 4 | Get-AzKeyVault -VaultName $keyVaultName ` -ResourceGroupName $resourceGroupName | Select-Object EnabledForDiskEncryption |

1 2 3 4 5 | Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName ` -ResourceGroupName $resourceGroupName ` -EnabledForDiskEncryption |
Enable the disk encryption
The Set-AzVmDiskEncryptionExtension cmdlet requires some values from your Key Vault resource. You can save the Key vault object in a variable and pass these values as parameters.
1 2 3 4 | $KeyVault = Get-AzKeyVault -VaultName $keyVaultName ` -ResourceGroupName $resourceGroupName |
1 2 3 4 5 6 7 | Set-AzVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName ` -VMName $vmName ` -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri ` -DiskEncryptionKeyVaultId $KeyVault.ResourceId ` -VolumeType "OS" |
Check the encryption status
You can check the disk encryption status using the Get-AzVmDiskEncryptionStatus cmdlet with the following syntax.
1 2 3 4 | Get-AzVmDiskEncryptionStatus -VMName $vmName ` -ResourceGroupName $resourceGroupName |
To get all the encryption secrets used to encrypt virtual machines in a key vault, you need to use the Get-AzKeyVaultSecret cmdlet with the following syntax.
1 2 3 4 5 | Get-AzKeyVaultSecret -VaultName $KeyVaultName ` | where { $_.Enabled} | format-table @{Label="MachineName"; Expression={$_.Tags['MachineName']}}, @{Label="VolumeLetter"; Expression={$_.Tags['VolumeLetter']}}, @{Label="EncryptionKeyURL"; Expression={$_.Id}} |
Disable the disk encryption
To disable the encryption on your virtual machines, you should use the Disable-AzVMDiskEncryption cmdlet. This cmdlet is not supported on Linux virtual machines.
1 2 3 4 5 | Disable-AzVMDiskEncryption -VMName $vmName ` -ResourceGroupName $resourceGroupName ` -VolumeType "OS" |
-VolumeType: This parameter accepts the following values. [ All, OS, and Data]
Remove the Encryption extension
If you want to remove the disk encryption extension and the associated configuration on your virtual machine, you should use the Remove-AzVMDiskEncryptionExtension cmdlet. This cmdlet will fail if encryption on the virtual machine has not been first disabled.
1 2 3 4 | Remove-AzVMDiskEncryptionExtension -VMName $vmName ` -ResourceGroupName $resourceGroupName |
If you want to know more about Azure Disk Encryption, check out this link.