This article covers my custom PowerShell Automation script use to set up Azure Disk Encryption (BitLocker) for an Azure Virtual Machine (VM) using Azure Key Vault. The article includes a video demonstration going over the entire process and testing the encryption process on a Windows Virtual Machine (VM).

Disk Encryption BitLocker

Video:

Steps in the above video covers;

Running of Initialize-AzureDiskEncryption.ps1 script which automates the steps below;

  • Create Azure Active Directory App
  • Create Key for App
  • Create Azure Key Vault
  • Add permission for the Azure Active Directory App to the Key Vault
  • Generate a self-signed encryption certificate
  • Upload encryption certificate to the Azure Key Vault Secret
  • Create Azure Key Vault Encryption Key (KEK)
  • Put a delete lock on Key Vault resource

Running of Add-AzureDiskEncryptionWinVM.ps1  which automates the steps below

  • Add Encryption certificate to VM’s local store
  • Enable disk encryption using disk encryption VM extension

 

Used quick start template to enable disk encryption for a running Virtual Machine (VM)

https://github.com/hhazeley/Azure-V2-Powershell-Scripts/tree/master/DiskEncryption

Microsoft Azure article covering referencing steps in video

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption

Disk Encryption Series

http://hazelnest.com/blog/blog/tag/disk-encryption