In this article you'll use the Azure portal to create a key vault for the storage of encryption keys and encrypt an existing virtual machine (VM).
To create a new virtual machine, you can refer to my last blog How to Create Azure VM (Virtual Machine). Once you create an Azure VM (Virtual Machine), you can follow the below steps to use the encryption option for your VM in Azure.
Should virtual machines be encrypted?
Yes, it’s quite important to encrypt your Virtual machine that can help you to safeguard your application and data.
Azure Disk Encryption Requirements
Before we start, please note the lists of requirements that are needed to enable the encryption for your Azure Virtual machines.
- Supported VMs: The Virtual machines must be Generation 1 or Generation 2. Azure Disk Encryptions is supported only for Generation 1 and Generation 2 Virtual Machines. The Virtual Machines must have a minimum of more than 2 GB memory.
- Supported operating systems: The operating system must be Windows 8 and later versions or Windows Server 2008 R2 and later versions or Windows 10 Enterprise multi-session.
- Encryption key storage requirements: Your Azure Virtual machine and your key vault must belong to the same subscription and the same Azure region.
- Group Policy requirements: Make sure the custom group policy settings for the BitLocker are compatible with your Azure Virtual machine.
- Networking requirements: Your Virtual machine must be able to connect to AAD endpoint, key vault endpoint and Azure storage endpoint.
How do I enable encryption on my Azure VM?
Step-1: Login to https://portal.azure.com.
Step-2: Search for Virtual machines there.
Step- 3: You will see the list of VM’s created in your Azure subscription. It will show the VM name, Type, Status, Resource Group, Location, etc. If you don’t have one you can create a new VM.
Step- 4: Now click on the VM name. “MyNewVM” in my case. You will be able to see the details of your virtual machine, like Public IP address, status, Computer name, Operating system, Size etc.
Step- 5: Now from the left side menu of the Overview tab, select the Disks option under Settings.
Step- 6: On the Disks screen, select on Additional Settings.
Step- 7: Under Encryption settings, select the Disks to encrypt option as OS and data disks.
Scroll down and then click on select a key vault for Key Vault. If you need to create a new key vault, click on create new.
Step- 8: Now under Create a key vault, give the correct subscription name, resource group, Key vault name, region, and pricing tier. Please note: Your Azure Virtual machine and your key vault must belong to the same subscription and the same Azure region.
Next to Purge protection you can either enable it or disable it. For this article we are going to disable it.
Then click Next.
Step- 9: On the Access Policies tab, check the Azure Disk Encryption for volume encryption box
Step- 10: On the Access Policies tab, check the Azure Disk Encryption for volume encryption box.
Step- 11: Click on the Review + create button.
Step- 12: Now it will show you Validation passed, now click on Create button.
Step- 13: Once the key vault has been created, select the correct key vault and click on Save.
Step- 14: Once the deployment is completed, you can go to the resource.
Step- 15: Now you are done with all the steps. This is how you can set Azure virtual machine encryption option.