Encrypt Virtual Machine Using Azure Key Vault.

What is Azure Key Vault?

Azure Key Vault help us to safeguard cryptographic keys and secrets used by cloud applications & services. We can use Key Vault for storing keys & secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords. Key Vault streamline the key management process and enables you to maintain control of keys that access and encrypt your data.

Lets look how we can leverage the Key Vault to encrypt Azure VM.

First we have to create an Azure Key Vault for this demo I use PowerShell, as an alternative we can use Portal.

#Define Veriables

$keyVaultName = 'KVcontoso'
$RGName = 'KeyVault'
$location = 'Southeast Asia'
$aadClientSecret = 'contosoClientSec'
$appDisplayName = 'contosoEncryptApp'

#Create New RG
New-AzureRmResourceGroup -Name $RGName -Location $location

#Create Key Vault
New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $RGName -Location $location 


As of the creation of the key vault you will grant the relevant access policies. We can change those permission as our requirements.


Next we have to enable the Enabled For Disk Encryption access policy.

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $RGName -EnabledForDiskEncryption

Lets see is it enabled

Get-AzureRmKeyVault -VaultName $keyVaultName


In Portal


Register AAD (Azure AD) application we use this application to encrypt the services and applications.

For -HomePage  -IdentifierUris  we can use a meaningful  URI

$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://homeEcryptApp' -IdentifierUris 'http://uriContosoEncryptApp' -Password $aadClientSecret


Lets check the AAD for the app registration


Next step we need to assign Key Vault permission to newly created app.

$appID = $aadApp.ApplicationId
$aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $appID -PermissionsToKeys all -PermissionsToSecrets all


Lets deploy Azure VM and enable the disk encryption for OS disk

Before Encryption


Now we’ll enable the drive encryption. Following code I declare additional variable that required for encryption

#encript OS Disk

$keyvault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $RGName
$keyVaultURI = $keyvault.VaultUri
$keyvaultRID = $keyvault.ResourceId
$kekURI = $keyvault
$vmName = (Get-AzureRmVM -ResourceGroupName $RGName -Name keyvaultvm).Name

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $adapp.ApplicationId -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $keyVaultURI -DiskEncryptionKeyVaultId $keyvaultRID -Verbose

You will get the following prompt when enable the encryption on disks. It will take 10-15 Min and restart the VM.

If the encryption succeed you will get following output

Now Lets see inside the VM and verify the OS disk is encripted.
As you see above the disk are encrypted using Bitlocker. Lets see it in the portal and verify the secret is created for this VM.