How to enable Azure virtual machine encryption

In this Azure tutorial, we will discuss the Azure virtual machine encryption option. We will see how to enable encryption in Azure virtual machine (Azure VM).

We will also discuss on the below topics.

  • Azure virtual machine encryption using PowerShell
  • Azure VM encryption using Azure CLI
  • Create a Key Vault needed for encryption using Azure CLI
  • Encrypt the virtual machine using Azure CLI

This Azure Encryption option for the VM helps us to protect and safeguard your data to meet your organizational security.

This option is available for VM with premium storage.

This feature is not available for the virtual machine with less than 2 GB memory size.

Azure virtual machine encryption

If you want to create a new virtual machine you can refer to my last blog How to Create Azure VM (Virtual Machine)

Once you create a Azure VM (Virtual Machine), you can follow the below steps to use the encryption option for your VM in Azure.

If you do not have Azure subscription then you can sign up for a 30-days Azure free trial.

Step-1: 

Login to https://portal.azure.com.

Step- 2: 

 Search for Virtual machines there.

Azure virtual machine encryption

Step- 3: 

You will see the list of VM created in your Azure subscription. It will show the VM name, Type, Status, ResourceGroup, Location, etc.

How to enable Azure virtual machine encryption option

Step- 4: 

Now click on the VM name. “MyNewVM” in my case. You can able to see the details of your virtual machine like Public IP address, status, Computer name, Operating system, Size etc.

How to add Azure virtual machine encryption option

Step- 5:

Now from left side menu of the Overview tab, select Disks option under Settings.

How to enable Azure virtual machine encryption option

Step- 6:

On the Disks screen, select Encryption option.

How to add Azure virtual machine encryption option

Step- 7:

Select the Disks to encrypt option as OS and data disks. Then click on select a key vault and key for encryption.

Enable Azure virtual machine encryption option

Step- 8:

Now from Select key from Azure Key Vault window, select Create new.

Virtual machine encryption in Azure

Step- 9:

On the Create key vault screen, Make sure the resource group is the same which you have chosen while creating the VM, Give a name for the Key vault name option.

Virtual machine encryption in Microsoft Azure

Step- 10:

On the Access Policies tab, check the Azure Disk Encryption for volume encryption box.

How to encrypt a virtual machine in Azure

Step- 11:

Click on Review + create button.

Step- 12:

Now it will show you Validation passed, now click on Create button.

How to enable encryption option Azure VM

Step- 13:

Click on the Select button.

How to enable encryption option Azure VM

Step- 14:

Now click on the Save button on the Encryption screen.

How to enable encryption option Azure VM

Step- 15:

Now it will ask to reboot the VM. Select Yes.

How to add encryption option Azure VM

Now you are done with all the steps. This is how you can set Azure virtual machine encryption option.

Azure virtual machine encryption using PowerShell

Using PowerShell also we can enable Azure virtual machine encryption in an existing VM.

Follow the below steps to do so.

Step- 1:

Connect to Azure, you can use the below command

Connect-AzAccount

Step- 2:

Now you can execute the below powershell script

$myVault = Get-AzKeyVault -VaultName "myNewVault123" -ResourceGroupName "newresgroup";
$mydiskEncryption = $myVault.VaultUri;
$myResourceId = $myVault .ResourceId;
$mykeyEncryption123 = (Get-AzKeyVaultKey -VaultName "newVault" -Name "name123").Key.kid;

Set-AzVMDiskEncryptionExtension -ResourceGroupName "mynewresgroup" `
    -VMName "MyNewVM" `
    -DiskEncryptionKeyVaultUrl $mydiskEncryption `
    -DiskEncryptionKeyVaultId $myResourceId `
    -KeyEncryptionKeyUrl $mykeyEncryption123 `
    -KeyEncryptionKeyVaultId $myResourceId

Step- 3:

Now you can see a warning message that the virtual machine needs to be rebooted, You can type Y to start the process.

This is how we can enable Azure virtual machine using powershell.

Azure virtual machine encryption using Azure CLI

Let’s discuss how to do this using Azure CLI for an existing VM.

Create a Key Vault needed for encryption using Azure CLI

You can execute the below line of command in your Azure CLI.

az keyvault create --name "myKeyVault" --resource-group "newresgroup" --location westus --enabled-for-disk-encryption

The name of the key Vault should be unique. Give a proper name to this.

Encrypt the virtual machine using Azure CLI

Now we can encrypt the Azure virtual machine using Azure CLI.

You can execute the below line of command in your Azure CLI.

az vm encryption enable -g newresgroup --name MyNewVM --disk-encryption-keyvault myKeyVault

Now if you want to verify if the Encryption option is enabled for your VM, you can execute the below line of command in your Azure CLI.

az vm show --name MyNewVM -g newresgroup

This is the way you can do Azure VM encryption using Azure CLI for an existing VM.

You may like following Azure tutorials:

Conclusion

In this Azure tutorial, We discussed

  • Azure virtual machine encryption using PowerShell
  • Azure VM encryption using Azure CLI
  • Create a Key Vault needed for encryption using Azure CLI
  • Encrypt the virtual machine using Azure CLI

Leave a Comment