1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Azure Resource Manager Virtual Machines

Disk Encryption in Windows with BitLocker and Linux DM-Crypt


Overview of the course
Course Intro
Course Overview
Start course
2h 17m

Azure Resource Manager Virtual Machines

Virtual Machines are a very foundational and fundamental resource in Cloud Computing. Deploying virtual machines gives you more flexibility and control over your cloud infrastructure and services, however, it also means you have more responsibility to maintain and configure these resources. This course gives you an overview of why use virtual machines as well as how to create, configure, and monitor VMs in Azure Resource Manager.

Azure Resource Manager Virtual Machines: What You'll Learn

Lesson What you'll learn
Overview Overview of the course and the Learning Objectives
What is a Virtual Machine? Understand what are Azure Virtual Machines and what workloads are ideal for VMs
Creating and Connecting to Azure VMs Learn to deploy Windows and Linux VMs as well as how to connect to these VMs
Scaling Azure Virtual Machines Understand VM scaling, load-balancing, and Availability Sets in Azure Resource Manager
Configuration Management Understand the basic concepts of Desired State Configuration and the options available to Azure VMs
Design and Implement VM Storage Gain an understanding of the underlying Storage options available to VMs as well as Encryption
Configure Monitoring & Alerts for Azure VMs Learn to monitor VMs in Azure Resource Manager as well as configure alerts.
Summary Course summary and conclusion


GitHub Code Repository



A whole entire course can cover Azure Disk Encryption. But in this lesson I want to at least get you started with the basics of Azure Disk Encryption which is an option available to both Linux and Windows VMs.

BitLocker is the Microsoft solution for Disk Encryption. We install BitLocker through a VM Extension which then encrypts the disk. When encrypting disks you have the option of encrypting the OS Disk only or both the OS Disk and the Data disk. Also, since we’re on the topic of encryption, Standalone Blob based storage can also enable encryption which encrypts data “at rest” meaning while not in transit. Azure will automatically decrypt the data when requested and encrypt the data once written to the storage. But in this lesson we’re focused on VM Disk Encryption from an IaaS perspective where we have more options on how our disks are encrypted.

The encryption process is actually pretty straightforward and is as easy as deploying a VM extension in PowerShell. However there is one caveat to the process that adds a somewhat difficult level of complexity. And that is managing the encryption Keys that go along with encrypting your disk. After all, if you lock something away, someone has to keep track of the keys to reopen it. The good news is Azure provides what’s called the Azure Key Vault service which is used to help you manage and control your disk-encryption keys and secrets used by cloud applications and services. Bitlocker creates what’s called a “Bitlocker Encryption Key,” or BEK which you’ll have to manage. We will not go deeply into the Key Vault service except to help explain how to use it for our VM disk encryption purposes. And of course you may Decrypt Windows IaaS VMs including both the OS disk and Data disk. Note that there is no additional cost for encrypting VM disks with Azure Disk Encryption.

In general, any application that wants to store keys and secrets need to register with Azure AD for security purposes and communicate with the Azure Key Vault service. You’ll see this in the demo when we create a PowerShell script in which we register an AD application to create a Key Vault Access Policy to write keys to the Key Vault. Don’t worry too much about the details for now, we’ll go into detail once we go through the process together.

One common scenario is wanting to not only have your VM encrypted, but also take advantage of backup and restore options via a service called the Azure Backup Service. This is an important scenario. The Azure Backup Service is just another app. Simply having a Bitlocker Encryption Key, or BEK, is not enough. You’d need to have what’s called a Key Encryption Key, commonly referred to as the KEK which is an additional layer of security. Our registered AD client App will generate a secret, which is like a passphrase that wraps the disk encryption key we created earlier. This is necessary if you are going take advantage of the Azure Backup Service.

Disk encryption with Linux is the same as Windows encryption except the encryption technology is different. Linux uses DM-Crypt to encrypt disks. The Azure Backup Service is also available to encrypted Linux VMs, but again you have to generate a KeyEncryptionKey (KEK) to use this service. But one major point is that as of now, disabling OS disk encryption for Linux is not supported. You may only decrypt Linux encrypted Data disks.

About the Author
Learning Paths

Chris has over 15 years of experience working with top IT Enterprise businesses.  Having worked at Google helping to launch Gmail, YouTube, Maps and more and most recently at Microsoft working directly with Microsoft Azure for both Commercial and Public Sectors, Chris brings a wealth of knowledge and experience to the team in architecting complex solutions and advanced troubleshooting techniques.  He holds several Microsoft Certifications including Azure Certifications.

In his spare time, Chris enjoys movies, gaming, outdoor activities, and Brazilian Jiu-Jitsu.