This article covers setting up Azure Disk Encryption (BitLocker) for an Azure Virtual Machine (VM) using Azure Key Vault. The article includes a video demonstration going over the entire process using only graphical user interface and testing the encryption process on a Windows Virtual Machine (VM).
Video:
Steps in the above video covers;
- Created Azure Active Directory App
- Created Key for App
- Created Azure Key Vault
- Added permission for the Azure Active Directory App to the Key Vault
- Created Azure Key Vault Encryption Key (KEK)
- Uploaded my encryption certificate to the Azure Key Vault Secret, this certificate was generated earlier off screen
- PowerShell commands used to create self-signed certificate
$Cert = New-SelfSignedCertificate -Subject "CN=Disk Encryption Cert" -CertStoreLocation "cert:\LocalMachine\My" -FriendlyName "<RG> - Disk Encryption Cert" -NotAfter (Get-Date).AddMonths(60) -KeyAlgorithm RSA -KeyLength 2048 -Type Custom Export-PfxCertificate -Cert $cert -Password (ConvertTo-SecureString "EncryptDisk101" -AsPlainText -Force) -FilePath .\<RG>_Diskencrypt.pfx -Force
- PowerShell commands used to create self-signed certificate
- Used quick start template to enable disk encryption for a running Virtual Machine (VM)
https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-running-windows-vm
Microsoft Azure article covering referencing steps in video
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption
Disk Encryption Series