Azure Key Vault and Disk Encryption

Lab Steps

Logging into the Microsoft Azure Portal
Connecting to the Virtual Machine (RDP)
Viewing the PowerShell Script
Connecting to Azure via PowerShell
Loading Azure VM Encryption Variables
Creating an Azure AD Application
Creating the Azure Key Vault
Using PowerShell to build the Azure VM
Deploying the Azure VM Disk Encryption Extension
Verifying BitLocker Drive Encryption

The hands-on lab is part of these learning paths

AZ-400 Exam Prep: Microsoft Azure DevOps Solutions
course-steps 11 lab-steps 5 description 1
AZ-104 Exam Preparation: Microsoft Azure Administrator
course-steps 18 certification 6 lab-steps 16
AZ-204 Exam Preparation: Developing Solutions for Microsoft Azure
course-steps 16 certification 1 lab-steps 9
AZ-500 Exam Preparation: Microsoft Azure Security Technologies
course-steps 14 certification 1 lab-steps 4
AZ-203 Exam Preparation: Developing Solutions for Microsoft Azure
course-steps 21 certification 1 lab-steps 7
Azure Services for Security Engineers
course-steps 8 certification 4 lab-steps 3
more_horiz See 4 more

Ready for the real environment experience?

Time Limit2h
star star star star star-half


Lab Overview

In this Lab, you will use the Azure Key Vault service in order to store keys and secrets used to encrypt an Azure Virtual Machine (VM). Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). This streamlines the key management process and enables you to maintain control of keys that access and encrypt your data.

Lab Objectives

Upon completion of this lab you will be able to:

  • Use the Azure Key Vault service to store secrets and keys used for encrypting an Azure Virtual Machine
  • Create an Azure Active Directory (AD) application registered to use the Azure Key Vault service
  • Use PowerShell to create the Azure Key Vault, Azure virtual machine, and deploy the Azure VM Disk Encryption Extension
  • View the Bitlocker encryption process on the encrypted VM
  • View the Azure Key Vault secrets/keys in the Azure Portal

Lab Prerequisites

You should be familiar with:

  • Basic Azure Virtual Machine and Azure Portal concepts
  • Microsoft Windows operating system basics
  • PowerShell and .NET familiarity are beneficial, but not required

Lab Environment

The Lab Environment has two main pieces:

  1. The pre-provisioned Azure virtual machine you will log into in order to perform PowerShell commands
  2. The PowerShell script you will use to build the Azure Key Vault and encrypted virtual machine

You will spend most of our time in the Azure PowerShell ISE and the Azure Portal. Below is a high-level diagram of the steps you will take in this Lab:


February 19th, 2020 - Update the lab to use PowerShell's Az module and added validation checks to check the work performed in the lab

February 5th, 2020 - Updated lab script to resolve an issue causing invalid storage account names

December 11th, 2019 - Updated lab VM to latest Windows 2019 image and improved issues causing slow startup PowerShell performance

April 11th 2018 - Updated Key Vault Portal screenshots, resolved issue causing the PowerShell script to timeout when creating the VM, and prepared for May 2018 API changes

About the Author

Learning paths2

Chris has over 15 years of experience working with top IT Enterprise businesses.  Having worked at Google helping to launch Gmail, YouTube, Maps and more and most recently at Microsoft working directly with Microsoft Azure for both Commercial and Public Sectors, Chris brings a wealth of knowledge and experience to the team in architecting complex solutions and advanced troubleshooting techniques.  He holds several Microsoft Certifications including Azure Certifications.

In his spare time, Chris enjoys movies, gaming, outdoor activities, and Brazilian Jiu-Jitsu.