This article covers setting up Azure Disk Encryption (BitLocker) for an Azure Virtual Machine (VM) using Azure Key Vault. The article includes a video demonstration going over the entire process using only graphical user interface and testing the encryption process on a Windows Virtual Machine (VM).

Disk Encryption BitLocker



Steps in the above video covers;

  • Created Azure Active Directory App
  • Created Key for App
  • Created Azure Key Vault
  • Added permission for the Azure Active Directory App to the Key Vault
  • Created Azure Key Vault Encryption Key (KEK)
  • Uploaded my encryption certificate to the Azure Key Vault Secret, this certificate was generated earlier off screen
    • PowerShell commands used to create self-signed certificate
      $Cert = New-SelfSignedCertificate -Subject "CN=Disk Encryption Cert" -CertStoreLocation "cert:\LocalMachine\My" -FriendlyName "<RG> - Disk Encryption Cert" -NotAfter (Get-Date).AddMonths(60) -KeyAlgorithm RSA -KeyLength 2048 -Type Custom
      Export-PfxCertificate -Cert $cert -Password (ConvertTo-SecureString "EncryptDisk101" -AsPlainText -Force) -FilePath .\<RG>_Diskencrypt.pfx -Force
  • Used quick start template to enable disk encryption for a running Virtual Machine (VM)

Microsoft Azure article covering referencing steps in video

Disk Encryption Series