Azure Key Vault and Disk Encryption


95 students completed the lab in ~1h:12m

Total available time: 2h:0m

Be the first to rate this lab!

Lab Overview

In this Lab, you will use the Azure Key Vault service in order to store keys and secrets used to encrypt an Azure Virtual Machine (VM). Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). This streamlines the key management process and enables you to maintain control of keys that access and encrypt your data.

Lab Objectives

Upon completion of this lab you will be able to:

  • Use the Azure Key Vault service to store secrets and keys used for encrypting an Azure Virtual Machine
  • Create an Azure Active Directory (AD) application registered to use the Azure Key Vault service
  • Use PowerShell to create the Azure Key Vault, Azure virtual machine, and deploy the Azure VM Disk Encryption Extension
  • View the Bitlocker encryption process on the encrypted VM
  • View the Azure Key Vault secrets/keys in the Azure Portal

Lab Prerequisites

You should be familiar with:

  • Basic Azure Virtual Machine and Azure Portal concepts
  • Microsoft Windows operating system basics
  • PowerShell and .NET familiarity are beneficial, but not required

Lab Environment

The Lab Environment has two main pieces:

  1. The pre-provisioned Azure virtual machine you will log into in order to perform PowerShell commands
  2. The PowerShell script you will use to build the Azure Key Vault and encrypted virtual machine

You will spend most of our time in the Azure PowerShell ISE and the Azure Portal. Below is a high-level diagram of the steps you will take in this Lab:


April 11th 2018 - Updated Key Vault Portal screenshots, resolved issue causing the PowerShell script to timeout when creating the VM, and prepared for May 2018 API changes

Follow these steps to learn by building helpful cloud resources

Logging into the Microsoft Azure portal

Begin the Lab by logging into the Microsoft Azure portal

Connecting to the Virtual Machine (RDP)

Connect to the Windows virtual machine using Remote Desktop Protocol (RDP) software

Viewing the PowerShell Script

Open the PowerShell script in the PowerShell Integrated Scripting Environment (ISE)

Connecting to Azure via PowerShell

Connect to your Azure account via PowerShell

Loading Azure VM Encryption Variables

Load the variables for the Azure Virtual Machine Encryption

Creating an Azure AD Application

Create an Azure Active Directory Application and register it with Azure using a PowerShell script

Creating the Azure Key Vault

Create the Azure Key Vault to store disk encryption keys and secrets

Using PowerShell to build the Azure VM

Use PowerShell to build the Azure VM

Deploying the Azure VM Disk Encryption Extension

Deploy the Azure VM Disk Encryption Extension

Verifying BitLocker Drive Encryption

Verify BitLocker Drive Encryption on the newly encrypted Azure Virtual Machine