How to encrypt your Windows virtual machine disk in Azure with PowerShell
Microsoft recommends that disk encryption be enabled for Virtual Machines hosted in Azure which protects unauthorized access in case the disk is copied. I have an existing Windows Virtual Machine in my Azure Subscription which I have created recently and I wanted to follow this recommendation. I also have an existing Azure Key Vault which is a prerequisite for disk encryption.
I recommend using Azure cloud shell for running all your commands.
Step 1: Enable Disk Encryption on Azure Key Vault
You want to execute the following command to determine if Disk Encryption is enabled on your Azure Key Vault.
Get-AzKeyVault -VaultName "<KeyVaultName>" -ResourceGroupName "<ResourceGroupName>"Take note of the “Enable for Disk Encryption” flag.
If it is set to False, then run the following command to Enable it.
Set-AzKeyVaultAccessPolicy -VaultName "<KeyVaultName>" -ResourceGroupName "<ResourceGroupName>" -EnabledForDiskEncryptionStep 2: Enable Disk Encryption Extension on your Windows virtual machine
Next, you want to execute the following command to determine if Disk Encryption is enabled on your Azure virtual machine.
Get-AzVmDiskEncryptionStatus -VMName "<VMName>" -ResourceGroupName "<ResourceGroupName>"Take note of the encryption on both the OS volume and Data volume.
If it is set to NotEncrypted, then run the following command to Enable it.
$keyVault = Get-AzKeyVault -VaultName "<KeyVaultName>" -ResourceGroupName "<ResourceGroupName>"Set-AzVMDiskEncryptionExtension -ResourceGroupName "<ResourceGroupName>" -VMName "<VMName>" -DiskEncryptionKeyVaultUrl $keyVault.VaultUri -DiskEncryptionKeyVaultId $keyVault.ResourceId
You may get the following message. Click Y to continue.
This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10–15 minutes to finish. Please save your work on the VM before confirming. Do you want to continue?
After several minutes, your disk will be encrypted.
You can check to make sure that your disk is encrypted.
That’s it. Happy coding!
