Azure Disk Encryption with Key Vault — Part 2

Step-by-Step Azure Disk Encryption

If you have not read the Part 1 of this blog to understand the Disk Encryption requirements and pre-requisite, then first check this blog and come back here. If you have already read, continue reading it down below.

Please follow the below steps to encrypt a Windows VM OS and data disks using the Key Vault with Keys.

Step 1 — Create the Key Vault

1. Create the Key Vault by searching for Key Vault from the Azure Portal.
2. Click on “Add” to create new Key Vault.
3. Fill the appropriate details for the Key Vault. Make sure that the Region for Key Vault is same as where the VM is located, otherwise it will end up in error.
4. Define the access policies for users or groups to have permissions about Keys, Secrets or Certificates. You can select all permissions or choose the ones required. Also check the three options under “Enable Access to” to successfully encrypt your VM disk.
5. To add a new Access Policy to User or Group, click “Add access Policy” and fill the required details. If you want to give permission on behalf of some application, then select that application under “Authorized application”.
6. To add a specific VLAN or give permission through All Networks, go to Virtual Networks section and select required value. If All Networks is selected, users or groups under Access Policy shall have the permissions to work from any where and use this Key Vault. If “Selected Networks” is chosen, only users and groups under select VLAN/Subnet shall be able to use Key Vault
7. Once done, you can hit “Create” and the Key Vault shall be created.

Step 2 — Generating the Keys

Follow the below steps to generate the Keys for VM to encrypt.

1. When the Key Vault is created, go to that Key Vault.
2. Click Generate/Import to generate the Key.
3. To generate the Key, select “Generate” and name your key. You can also choose Key type which is by default RSA. Keep the remaining options as by default. If you want Expiration date for the key, you can enable that. Ensure that “Enabled” option is Yes.

Step 3 — Encrypting the VM disk

Follow the below steps to use the Keys generated in previous step for encrypting the VM itself.

1. Once you have created the Key Vault and generated the required Key, go to the VM you want to encrypt. Then go to Disks > Encryption.

2. Under encryption, select the disk volumes you want to encrypt. If you want to encrypt data disks then you must have to encrypt OS disk as well together.

3. After selecting the disks to encrypt, you will see the option below for selecting key vault and its related key.

4. Click on “Select a key vault and key for encryption”, select the Key Vault which you created in Step 1 and key in Step 2. Also, the version which will be populated for the selected key.

5. Once the Key Vault and related Key is selected, click Save. It will also reboot the machine if you confirm the action.

You can verify the disk encryption by going in to Disks section and seeing the Encryption status changed to “Enabled” or from inside the VM you can see a lock sign appearing on the drives mounted.