In this Azure tutorial, we will discuss the Azure virtual machine encryption option. We will see how to enable encryption in the Azure virtual machine (Azure VM).
We will also discuss the below topics.
- Azure virtual machine encryption using PowerShell
- Azure VM encryption using Azure CLI
- Create a Key Vault needed for encryption using Azure CLI
- Encrypt the virtual machine using Azure CLI
- Azure Disk Encryption Requirements
- Are Azure virtual machines encrypted?
- Should virtual machines be encrypted?
This Azure Encryption option for the VM helps us to protect and safeguard your data to meet your organizational security.
This option is available for VM with premium storage.
This feature is not available for the virtual machine with less than 2 GB memory size.
Table of Contents
Azure virtual machine encryption
If you want to create a new virtual machine you can refer to my last blog How to Create Azure VM (Virtual Machine)
Once you create an Azure VM (Virtual Machine), you can follow the below steps to use the encryption option for your VM in Azure.
How do I enable encryption on my Azure VM?
If you do not have an Azure subscription then you can sign up for a 30-days Azure free trial.
Step-1:
Login to https://portal.azure.com.
Step- 2:
Search for Virtual machines there.
Step- 3:
You will see the list of VM created in your Azure subscription. It will show the VM name, Type, Status, ResourceGroup, Location, etc.
Step- 4:
Now click on the VM name. “MyNewVM” in my case. You can able to see the details of your virtual machine like Public IP address, status, Computer name, Operating system, Size etc.
Step- 5:
Now from the left side menu of the Overview tab, select the Disks option under Settings.
Step- 6:
On the Disks screen, select the Encryption option.
Step- 7:
Select the Disks to encrypt option as OS and data disks. Then click on select a key vault and key for encryption.
Step- 8:
Now from the Select key from the Azure Key Vault window, select Create new.
Step- 9:
On the Create key vault screen, Make sure the resource group is the same which you have chosen while creating the VM, Give a name for the Key vault name option.
Step- 10:
On the Access Policies tab, check the Azure Disk Encryption for volume encryption box.
Step- 11:
Click on the Review + create button.
Step- 12:
Now it will show you Validation passed, now click on Create button.
Step- 13:
Click on the Select button.
Step- 14:
Now click on the Save button on the Encryption screen.
Step- 15:
Now it will ask to reboot the VM. Select Yes.
Now you are done with all the steps. This is how you can set Azure virtual machine encryption option.
Azure virtual machine encryption using PowerShell
Using PowerShell also we can enable Azure virtual machine encryption in an existing VM.
Follow the below steps to do so.
Step- 1:
Connect to Azure, you can use the below command
Connect-AzAccountStep- 2:
Now you can execute the below PowerShell script
$myVault = Get-AzKeyVault -VaultName "myNewVault123" -ResourceGroupName "newresgroup";
$mydiskEncryption = $myVault.VaultUri;
$myResourceId = $myVault .ResourceId;
$mykeyEncryption123 = (Get-AzKeyVaultKey -VaultName "newVault" -Name "name123").Key.kid;
Set-AzVMDiskEncryptionExtension -ResourceGroupName "mynewresgroup" `
-VMName "MyNewVM" `
-DiskEncryptionKeyVaultUrl $mydiskEncryption `
-DiskEncryptionKeyVaultId $myResourceId `
-KeyEncryptionKeyUrl $mykeyEncryption123 `
-KeyEncryptionKeyVaultId $myResourceIdStep- 3:
Now you can see a warning message that the virtual machine needs to be rebooted, You can type Y to start the process.
This is how we can enable Azure virtual machines using PowerShell.
Azure virtual machine encryption using Azure CLI
Let’s discuss how to do this using Azure CLI for an existing VM.
Create a Key Vault needed for encryption using Azure CLI
You can execute the below line of command in your Azure CLI.
az keyvault create --name "myKeyVault" --resource-group "newresgroup" --location westus --enabled-for-disk-encryptionThe name of the key Vault should be unique. Give a proper name to this.
Encrypt the virtual machine using Azure CLI
Now we can encrypt the Azure virtual machine using Azure CLI.
You can execute the below line of command in your Azure CLI.
az vm encryption enable -g newresgroup --name MyNewVM --disk-encryption-keyvault myKeyVaultNow if you want to verify if the Encryption option is enabled for your VM, you can execute the below line of command in your Azure CLI.
az vm show --name MyNewVM -g newresgroupThis is the way you can do Azure VM encryption using Azure CLI for an existing VM.
Azure Disk Encryption Requirements
Below are the lists of requirements that are needed to enable the encryption for your Azure Virtual machines.
- The Virtual machines must be Generation 1 or Generation 2. Azure Disk Encryptions is supported only for the Generation 1 and Generation 2 Virtual Machines.
- The Virtual Machines must have a minimum of more than 2 GB memory.
- The operating system must be Windows 8 and later versions or Windows Server 2008 R2 and later versions or Windows 10 Enterprise multi-session.
- Another important point is, your Azure Virtual machine and your key vault must belongs to the same subscription and also the same Azure region.
- Make sure, the custom group policy settings for the BitLocker are compatible with your Azure Virtual machine.
- Your Virtual machine must be able to connect to AAD endpoint, key vault endpoint and Azure storage endpoint.
Are Azure virtual machines encrypted?
Yes, you will find many of the Azure managed disks those are encrypted with Azure Storage encryption which indeed helps to protect your data.
Should virtual machines be encrypted?
Yes, it’s quite important to encrypt your Virtual machine that can help you to safeguard your application and data.
You may like the following Azure tutorials:
- How To Create Azure Windows Virtual Machine From A Snapshot PowerShell
- Connect to Azure in PowerShell (And Azure AD)
- Azure virtual machine DNS (FQDN)
- What is Azure Active Directory B2B collaboration (Azure AD B2B)
- How to Create Azure VM (Virtual Machine)
- How to access Azure VM (Virtual Machine)
- Unable to find package providers (NuGet)
Conclusion
In this Azure tutorial, We discussed
- Azure virtual machine encryption using PowerShell
- Azure VM encryption using Azure CLI
- Create a Key Vault needed for encryption using Azure CLI
- Encrypt the virtual machine using Azure CLI
- Azure Disk Encryption Requirements
- Are Azure virtual machines encrypted?
- Should virtual machines be encrypted?
Hope you have enjoyed this article !!!