Azure Disk Encryption with Key Vault — Part 1

Overview

The Virtual Machines created in Azure can be secured by encrypting their disks either OS disk or data disks. The Azure Disk Encryption is the process to do it and it uses BitLocker feature to encrypt your VM disks. I will be telling you here how to encrypt the disks and maintain the encryption keys in Azure Key Vault.

Pre-Requisites

Here are some pre-requisites which needs to be fulfilled to accomplish Azure Disk Encryption for Windows Virtual Machines only.

• See the support VM sizes here. Not all VM sizes are supported for disk encryption.
• Azure Disk Encryption does not supports below scenarios:
• Machines with S2D configuration for file servers
• Machines created with Classic VM template
• Network file systems
• Azure Files
• Machines with RAID configured
• Only Windows 2008 or later and Windows Server 2008 R2 or later are supported OS.
• If your network is firewall protected, then you must open some URLs and ports listed below:
• login.microsoftonline.com:443
• management.azure.com:443
• graph.windows.net:443
• <vault-name>.vault.azure.net:443
• Make sure that Group Policy for domain joined VMs has this policy applied “Configure user storage of BitLocker recovery information > Allow 256 bit recovery key”
• Make sure to create Azure Key Vault in the same region where your VM is hosted.

Risks and Impact

There are some risks that needs to be in mind before applying disk encryption. Some of them are listed below:

• Virtual Machines shall be rebooted during encryption is applied, so better take approval from users for Production machines to avoid any business impact.
• Disk encryption might take time if the disks size is large.

Permissions

You need to have Contributor level permission at Subscription level in order to perform Azure Disk Encryption.

In part 2 of this blog, i will share the step-by-step guide to how to perform Azure Disk Encryption.