Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

Azure Disk Encryption using PowerShell

·617 words·3 mins· 100 views · 5 likes ·
Azure PowerShell Connect-AzAccount Disable-AzVMDiskEncryption format-table

Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks of Azure virtual machines by using the DM-Crypt feature in Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. In this post, I want to show you how to encrypt the system volume of an existing Windows virtual machine using PowerShell.

Important: Before encrypting your Azure virtual disks, check the following link to verify that your virtual machines meet the requirements.

Requirements: This tutorial assumes that you already have an Azure Key Vault. To learn how to create a Key Vault, see this link.

Azure PowerShell Workaround>

Azure PowerShell Workaround #

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.


This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.

If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Select-AzSubscription -Subscription "My Subscription"
Set the variables>

Set the variables #

Here, we define the characteristics of our environment

$resourceGroupName = "RG-DEMO-NE"
$location          = "northeurope"
$vmName            = "VM-DEMO-NE-001"
$keyVaultName      = "KV-DEMO-NE"
Azure Key Vault Access Policy>

Azure Key Vault Access Policy #

As I mentioned before, ADE requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your Key Vault must have the option for disk encryption enabled. To find out if your Key vault already meets this requirement, you should run the following command.

Get-AzKeyVault `
    -VaultName $keyVaultName `
    -ResourceGroupName $resourceGroupName `
    | Select-Object EnabledForDiskEncryption


To enable disk encryption for an existing Key Vault, you should use the Set-AzKeyVaultAccessPolicy cmdlet with the following syntax.

Set-AzKeyVaultAccessPolicy `
    -VaultName $keyVaultName `
    -ResourceGroupName $resourceGroupName `
Enable the disk encryption>

Enable the disk encryption #

The Set-AzVmDiskEncryptionExtension cmdlet requires some values from your Key Vault resource. You can save the Key vault object in a variable and pass these values as parameters.

$KeyVault = Get-AzKeyVault `
    -VaultName $keyVaultName `
    -ResourceGroupName $resourceGroupName

To encrypt your virtual machine, you must use the Set-AzVmDiskEncryptionExtension cmdlet with the following syntax.

Set-AzVMDiskEncryptionExtension `
    -ResourceGroupName $resourceGroupName `
    -VMName $vmName `
    -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri `
    -DiskEncryptionKeyVaultId $KeyVault.ResourceId `
    -VolumeType "OS"
Check the encryption status>

Check the encryption status #

You can check the disk encryption status using the Get-AzVmDiskEncryptionStatus cmdlet with the following syntax.

Get-AzVmDiskEncryptionStatus `
    -VMName $vmName `
    -ResourceGroupName $resourceGroupName


To get all the encryption secrets used to encrypt virtual machines in a key vault, you need to use the Get-AzKeyVaultSecret cmdlet with the following syntax.

Get-AzKeyVaultSecret -VaultName $KeyVaultName `
 | where { $_.Enabled} `
 | format-table @{Label="MachineName"; Expression={$_.Tags['MachineName']}}, @{Label="VolumeLetter"; Expression={$_.Tags['VolumeLetter']}}, @{Label="EncryptionKeyURL"; Expression={$_.Id}}
Disable the disk encryption>

Disable the disk encryption #

To disable the encryption on your virtual machines, you should use the Disable-AzVMDiskEncryption cmdlet. This cmdlet is not supported on Linux virtual machines.

Disable-AzVMDiskEncryption `
    -VMName $vmName `
    -ResourceGroupName $resourceGroupName `
    -VolumeType "OS"

-VolumeType: This parameter accepts the following values. [ All, OS, and Data]

Remove the Encryption extension>

Remove the Encryption extension #

If you want to remove the disk encryption extension and the associated configuration on your virtual machine, you should use the Remove-AzVMDiskEncryptionExtension cmdlet. This cmdlet will fail if encryption on the virtual machine has not been first disabled.

Remove-AzVMDiskEncryptionExtension `
    -VMName $vmName `
    -ResourceGroupName $resourceGroupName

Thanks for reading my post. I hope you find it helpful. If you want to know more about Azure Disk Encryption, check out this link.