Enabling Disk Encryption on Virtual Machines in Azure

Azure Disk Encryption helps protect your data and meet your organization's security and compliance commitments. It uses the feature BitLocker to provide volume encryption for the operating system and data disks of Azure Virtual Machines (VMs) and is integrated with Azure Key Vault to help you control and manage disk encryption keys and secrets.

Read more:

Migrating Active Directory from WS2012 to WS2019
SMB Compression (Preview) - Windows Server 2022
What is Microsoft Endpoint Defender?
Powershell Web Access and other ways to execute a remote command
Reset VM access to SSH public key

Supported operating systems and VMs

Windows VMs are available in a size series. Azure Disk Encryption is supported on Generation 1 and Generation 2 VMs. Azure Disk Encryption is also available for VMs with premium storage.

Azure Disk Encryption is available at basic VMs A-series or on virtual machines with less than 2 GB of memory. Azure Disk Encryption is also not available on VM images without temporary disks (Dv4, Dsv4, Ev4, and Esv4).

Compatible operating systems

  • Windows Client: Windows 8 and later.
  • Windows Server: Windows Server 2008 R2 and later.


Windows Server 2008 R2 requires the .NET Framework 4.5 to be installed for encryption; install it from Windows Update with the optional Microsoft .NET Framework 4.5.2 update for Windows Server 2008 R2 x64-based Systems(KB2901983).

Windows Server 2012 R2 Core and Windows Server 2016 Core require the bdehdcfg component to be installed on the VM for encryption.

Encryption key storage requirements

Azure Disk Encryption requires an Azure Key Vault to help you control and manage your disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription.

What is Azure Key Vault?

Azure Key Vault is a cloud service to securely store and access secrets. A secret is anything you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. The Key Vault service supports two types of containers: vaults and managed HSM (Hardware Security Module) pools. Vaults support software and HSM-backed storage of keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.

Microsoft Azure Environment

In Microsoft Azure we have a virtual machine called VM-Dev-001 with the size Standard_DS1_v2 1 vcpu, 3.5 Gib memory, Windows Server 2019 Datacenter operating system, this machine has two disks, one disk is the operating system and the other disk is data .

Step by step

Configuring Key Vault

01 – Log in to the portal of Azure.

02 – In the Azure portal search for Key vaults.

03 – On the Key vaults screen, click on + Create.

04 – On the Create Key vault screen, in Basics, select the subscription and resource group.

In Instance details, in Key vault name select a name for the resource, in Region select the region you want to provision the resource, in Pricing tier we can select between Standard and Premium.

In Recovery options, we will leave the default option of 90 and Disable purge protection (allow key vault and objects to be purged during retention period), then click Next: Access policy.

05 – In Access policy, check the option Azure Disk Encryption for volumes encryption, for the Permission model option, leave policy selected.

In Current Access Policies, notice that my user was added to the policy with the necessary permissions, click Next: Networking.

06 – In Networking, leave the default setting selected Publuc endpoint (all networks) and click Review + create.

07 – On the Review + create screen, verify that all the information is correct and click on Create.

08 – Wait for the resource to be provisioned.

09 – As we can see the resource was provisioned successfully, click on Go to resource.

10 – After selecting the Key vault, click on Settings and click on Keys.

11 – On the Keys screen, click on + Generate/Import.

12 – On the Create a Key screen, select a name for the key, in RSA Key size we can change the size of the key and we can set the expiration period for this key by enabling Set activation date, let's leave the default settings, then click Create .

Enabling disk encryption

13 – In the Azure portal search for Virtual machines

14 – Select the virtual machine you want to enable disk encryption, in our example we will select the virtual machine VM-Dev-001.

15 – After selecting the VM in Settings click on Disks.

16 – On the Disks screen click on Additional settings.

17 – On the Disk settings screen, in Disk to encrypt select Os and data disks, in Key vault select the Key vault we created, in Key select keyms in Version select the Current version then click Next.

18 – Wait for the validation to complete.

Checking disk encryption

19 – Open File Explorer, click This PC and notice that the disks have been encrypted.

Was this article helpful?

To maintain a quality standard for you, we have invested in a great hosting plan, Paid CDN, Website Optimization Plugins, etc ...

Help us to keep the project active! 

Jádson Alves
Graduated in Informatics Degree from Universidade Tiradentes, Postgraduate in Administration and Security of Computer Systems from Universidade Estácio de Sá, Postgraduate in Information Security from Universidade Estácio de Sá, MBA in Computer Network Management from FANESE, MCT Certification, MCSE Core Infrastructure and MCSA Windows Server 2012, with over 07 years of IT experience. With knowledge in Windows Server operating systems, Linux operating systems, Virtualization, Azure, Asset monitoring with Zabbix.



Do you want to upgrade your career? 

Invest in yourself and get ahead! Get that dream job in 2022!