Introduction

Here is a small tutorial on encrypting a Microsoft Azure virtual machine disk.

Preparing the Azure Virtual Machine

Enable the Azure Key Vault provider within your Azure subscription.

$ az provider register -n Microsoft.KeyVault

Create a resource group in your favorite location (keep in mind different locations enable different features, some VM sizes are not available in other locations).

$ az group create \
	--name testResourceGroup \
	--location centralus

Create an Azure Key Vault and enable the Key Vault for use with disk encryption.

$ az keyvault create \
	--name testKeyVault \
	--resource-group testResourceGroup \
	--location centralus \
	--enabled-for-disk-encryption True

Create a cryptographic key in your Key Vault.

$ az keyvault key create \
	--vault-name testKeyVault \
	--name testKey \
	--protection software

Create a service principal using Azure Active Directory, which handles the authentication and exchange of cryptographic keys from Key Vault.

$ az ad sp create-for-rbac

Set permissions on your Key Vault.

$ az keyvault set-policy \
	--name testKeyVault --spn $sp_id \
	--key-permissions wrapKey \
	--secret-permissions set

Create a VM and attach a 10Gb data disk. Keep in mind that only certain marketplace images support disk encryption.

$ az vm create \
	--resource-group testResourceGroup \
	--name testVM \
	--image UbuntuLTS \
	--admin-username azureuser \
	--generate-ssh-keys \
	--data-disk-sizes-gb 10

SSH to your VM using the publicIpAddress shown in the output of the preceding command, create a partition and filesystem, then mount the data disk. Start encrypting your VM.

$ az vm encryption enable \
	--resource-group testResourceGroup \
	--name testVM \
	--aad-client-id $sp_id \
	--aad-client-secret $sp_password \
	--disk-encryption-keyvault testKeyVault \
	--key-encryption-key testKey \
	--volume-type all

Encryption process will take some time to complete, you can monitor the status of the encryption; for now, it will show EncryptionInProgress:

$ az vm encryption show \
	--resource-group testResourceGroup \
	--name testVM

When the status for the OS disk reports VMRestartPending, restart your virtual machine.

$ az vm restart \
	--resource-group testResourceGroup \
	--name testVM

The disk encryption process is finalized during the boot process, so wait a few minutes before checking the status of encryption again. The status should report that both OS disk and data disk are Encrypted.

$ az vm encryption show \
	--resource-group testResourceGroup \
	--name testVM

Additional info