How to Encrypt Disks on Azure VMs using PowerShell

In my previous post, I showed you how to create a Key Vault. Today I will show you how to use that Key Vault to store the encryption key and then encrypt the disks of your virtual machines in Azure with PowerShell.

Requirements: This tutorial assumes that you already have a Microsoft Azure account set up and you have an Azure Key Vault. To learn how to create a Key Vault, see this link.

Important: The Azure Key Store that contains the cryptographic keys and associated resources, such as storage and the virtual machine, must be in the same region.

Azure PowerShell Workaround

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Set the variables
Here, we define the characteristics of our environment

Azure Key Vault Access Policy

Before you start working with the Key Vault, you must grant your user permission to perform operations with the Key Vault. To perform this task, you must use the Set-AzKeyVaultAccessPolicy cmdlet.

Set-AzKeyVaultAccessPolicy

Create a cryptographic key

To perform the encryption of the disks, you must create an essential component, an encryption key that must be stored in the Key Vault. For this, you must use the Add-AzKeyVaultKey cmdlet with the following syntax:

– Destination
Specifies whether to add the key as a software-protected key or a Hardware-protected key in the Key Vault service. Valid values are HSM and Software. Using an HSM requires a premium Key Vault.

Add-AzKeyVaultKey

The “CrypKey” is the name I chose for the encryption key, you can choose the name of your encryption key.

Check Azure VM status

Once the encryption key has been created, we will check that the machine is “Running”, and the disks are not encrypted.

Get-AzVM

To get the encryption status of the virtual machine, use the Get-AzVMDiskEncryptionStatus cmdlet with the following syntax:

Get-AzVmDiskEncryptionStatus

As you can see, this command shows the encryption status of the operating system and the data volumes.

Encrypt a virtual machine

Once we have verified that the virtual machine is not already encrypted and is in the “Running” state. We can start the encryption process, to perform this task we will use the Set-AzVMDiskEncryptionExtension cmdlet with the following syntax:

Azure Disk Encryption

During the process, the encryption process, the virtual machine will be restarted. Once the encryption process is completed and the virtual machine is rebooted, you can verify the encryption status by using the Get-AzVmDiskEncryptionStatus cmdlet.

Get-AzVmDiskEncryptionStatus

If you want to know more about Azure Disk Encryption, check out this link: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview