1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Azure Resource Manager Virtual Machines

Demo - Implement BitLocker Disk Encryption on an Azure VM


Overview of the course
Course Intro
Course Overview
Start course
2h 17m

Azure Resource Manager Virtual Machines

Virtual Machines are a very foundational and fundamental resource in Cloud Computing. Deploying virtual machines gives you more flexibility and control over your cloud infrastructure and services, however, it also means you have more responsibility to maintain and configure these resources. This course gives you an overview of why use virtual machines as well as how to create, configure, and monitor VMs in Azure Resource Manager.

Azure Resource Manager Virtual Machines: What You'll Learn

Lesson What you'll learn
Overview Overview of the course and the Learning Objectives
What is a Virtual Machine? Understand what are Azure Virtual Machines and what workloads are ideal for VMs
Creating and Connecting to Azure VMs Learn to deploy Windows and Linux VMs as well as how to connect to these VMs
Scaling Azure Virtual Machines Understand VM scaling, load-balancing, and Availability Sets in Azure Resource Manager
Configuration Management Understand the basic concepts of Desired State Configuration and the options available to Azure VMs
Design and Implement VM Storage Gain an understanding of the underlying Storage options available to VMs as well as Encryption
Configure Monitoring & Alerts for Azure VMs Learn to monitor VMs in Azure Resource Manager as well as configure alerts.
Summary Course summary and conclusion


GitHub Code Repository



In this demo we are going to build a new Windows VM, a KeyVAult, an Azure Active Directory Application, and a KeyEncryptionKey which we’ll use to deploy the AzureDiskEncryption extension to encrypt our virtual machine.

The is a graphical representation to represent the pieces of our Demo. We will be performing everything in PowerShell including the creation of the VM itself. In fact we’ll start from nothing and create everything including the Resource Group. Our PowerShell script will create a Resource Group, then create an Azure AD application, a KeyVault, and KeyEncryptionKey. We will then build a virtual machine including a new PublicIP, VNet, Network Interface Card (NIC), and Disk. Finally, once the VM is built, we will deploy the AzureRmVMDiskEncryptionExtension to our VM and check the status.

This is a PowerShell script which I’ve authored and is available on my GitHub Gist.

Let’s hop on over to our PowerShell ISE. The first thing we’ll do is setup the variables we will use. These variables are mainly for setting up the VM itself including the VMName “EncryptWin1”, the network information, storage, OS image, etc. Let’s load this into memory. We’ll also create a new Resource Group called “EncryptRG.” The last three steps are to create the KeyVault and Keys, the VM itself, and finally deploy the encryption extension.

Let’s have have a look at how to create a KeyVault and AD App. As we go through this just try to get the overall picture of what’s going on since our purpose in this course is to understand that we have the ability to have encrypted disks rather than the lower-level details. But believe me, it took me some time to wrap my head around this myself, but I thought I’d share these details with you in case you’re curious.

We’ll first create the AD application. I have a few variables including the name I want for the KeyVault, the new Azure AD App and a name for the KeyEncryptionKey. The main point of this block of code is that I’m creating a new Azure AD application for security purposes by having an identity or service principal in Azure that I will use to create a new passphrase or “secret” that we’ll use for the disk encryption. Let’s load it into memory.

Next, we’ll create the actual KeyVault and set the appropriate KeyVault Access Policies that allow our AD app permission to write keys and secrets to the KeyVault. Let’s run it.

Finally let’s create the KeyEncryption Key and output all the values for our KeyVault which you can save to a local file for person keepsake. This is a good time to head over to the Portal to have a look at our KeyVault. In the search box we’ll type keyvault and we can see the name of our KeyVault. Here we can view our Keys and Secrets as well as our Azure AD service principals or accounts that have access to our KeyVault. Let’s click “Keys. There is the key we’ve created called “MyKey1.” Clicking on this key shows information about the key including permitted operations.

Let’s close out these blades and go back to view the Secrets. As you can see we do not yet have any secrets because we haven’t actually encrypted any VMs just yet. Let’s go back out and view the Access policies. Here you can see my own AD service account as well as MyApp1 which we’ve created in PowerShell. As you can see we have “All” permissions for both Keys and Secrets. Azure Disk Encryption technically only requires you to have “WrapKey” and “Set” permissions.

Let’s head back to our PowerShell script and create the VM. I won’t go into too much detail here but will walk through the steps. Let’s first create a storage account for our VM. We’ll then create a Public IP, virtual network, and network interface. Next let’s create credentials in order to login to our VM. We’re going to create our basic VM config and attach the NIC to the VM. This next block of code will setup our OS disk with the specified Windows Gallery image and attach the disk to the VM. Finally, we’re going to build the VM using the New-AzureRmVM command.

Ok, that only took a couple minutes and shows a success status. Let’s take a look at our new VM in the portal. Our VM is running and ready to go. Let’s take a look at the OS disk. As you can see, our OS disk shows that Encryption is “Not enabled.” Let’s head back over to the PowerShell script and complete this final step.

We simply have to run a single command called “Set-AzureRmVMDiskEncryptioExtension” and specify all the parameters we’ve previously generated and stored in variables. These include the ResourceGroup and VMName, our Azure AD app clientID and Secret, our KeyVault URL and ID for the BEK and our KeyEncryptionKey Url and ID used for the KEK. You’ll also notice a “-VolumeType” parameter set to “OS” which means we only want to encrypt the OS disk. Other values you can use here include “Data” for encrypting the data disks or “All” for encrypting both the OS disk and data disks. Let’s run it.

While this is running let’s head over to the Portal and check on the AzureDiskEncryption extension. As we can see our AzureDiskEncryption extension is being installed for our VM. Once the extension shows provisioning succeeded the VM will restart. Let’s connect to our VM to see what’s changed. When we login we immediately notice that we get a pop-up saying “Encryption in progress” by BitLocker Drive Encryption. Let’s right-click the start button and go to Control Panel -> System and Security -> BitLocker Drive Encryption. Here we can see that our drive is currently being encrypted successfully. Looking back in the Portal at our OS disk we can now see that “Encryption” shows “enabled.” Let’s also view our KeyVault secrets. We now have our secret which wraps the BitLocker Encryption Key generated for our encrypted VM. Our demo on Azure Disk Encryption is now complete.

About the Author
Learning Paths

Chris has over 15 years of experience working with top IT Enterprise businesses.  Having worked at Google helping to launch Gmail, YouTube, Maps and more and most recently at Microsoft working directly with Microsoft Azure for both Commercial and Public Sectors, Chris brings a wealth of knowledge and experience to the team in architecting complex solutions and advanced troubleshooting techniques.  He holds several Microsoft Certifications including Azure Certifications.

In his spare time, Chris enjoys movies, gaming, outdoor activities, and Brazilian Jiu-Jitsu.