Azure allows you to encrypt disks in a Windows virtual machine. The disks are encrypted using cryptographic keys that are protected in Azure Key Vault. These cryptographic keys can be controlled and their use can be audited. Virtual disks in Windows virtual machines are encrypted at rest using BitLocker. The encryption of the virtual disks in Azure does not entail any charge.

It is not possible to enable encryption through the Azure portal. For this, it is necessary to create a series of resources in the Azure portal and through PowerShell configure and enable encryption. Next, I indicate how to do it.

Create Azure KeyVault

In the Azure portal search, we look for KeyVault and select the resource.

We create a new Application Registry

We configure Name, Subscription, Group of resources (it must be the same where the VM is with the disks that we want to encrypt), Location, Rate Plan (we select Standard). Click on create.

Create application record.

In the search engine of the Azure portal, we search for application records and select the resource.

We create a new registry of applications.

We configure Name, type of application (we leave by default Web application or API). In login URL we configure https://"name of our application registry".net.

Create encrypted secret key.

In the application log that we have created, we select Settings.

We select Keys. We define a description of the key, an expiration date and a password in the Value field.

We save the configuration and the Value field will be set to an encrypted key, which we must copy and save because once we exit that screen it will not appear again.

Access directive

We return to access our KeyVault, in my case pruebavault.

In Settings, we select Access Policies and add a new one.

We configure Select the security entity. We search our application registry created in step 4. We select all the key, secret and certificate permissions. We create the access policy and save.

$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all -ResourceGroupName $rgname;
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname –EnabledForDiskEncryption
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

The only data that we will need to modify in the previous script are:

$rgName = ‘nombre del grupo de recursos’
$vmName = ‘nombre de la máquina virtual’
$KeyVaultName = ‘vfkey0’
$aadClientID = ‘ID recurso de aplicación creada’
$aadClientSecret = ‘clave secreta cifrada’

The other values are left as is.

Once the script is configured, we save the notebook with extension .ps1, we connect through PowerShell to our Azure subscription and execute the script. The process will take a few minutes. Once finished it will show a similar screen: