This article covers setting up Azure Disk Encryption (BitLocker) for an Azure Virtual Machine (VM) using Azure Key Vault. The article includes a video demonstration going over the entire process using only graphical user interface and testing the encryption process on a Windows Virtual Machine (VM).

Disk Encryption BitLocker

 

Video:

Steps in the above video covers;

  • Created Azure Active Directory App
  • Created Key for App
  • Created Azure Key Vault
  • Added permission for the Azure Active Directory App to the Key Vault
  • Created Azure Key Vault Encryption Key (KEK)
  • Uploaded my encryption certificate to the Azure Key Vault Secret, this certificate was generated earlier off screen
    • PowerShell commands used to create self-signed certificate
      $Cert = New-SelfSignedCertificate -Subject "CN=Disk Encryption Cert" -CertStoreLocation "cert:\LocalMachine\My" -FriendlyName "<RG> - Disk Encryption Cert" -NotAfter (Get-Date).AddMonths(60) -KeyAlgorithm RSA -KeyLength 2048 -Type Custom
      Export-PfxCertificate -Cert $cert -Password (ConvertTo-SecureString "EncryptDisk101" -AsPlainText -Force) -FilePath .\<RG>_Diskencrypt.pfx -Force
  • Used quick start template to enable disk encryption for a running Virtual Machine (VM)
    https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-running-windows-vm

Microsoft Azure article covering referencing steps in video

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption

Disk Encryption Series

http://hazelnest.com/blog/blog/tag/disk-encryption