Secure your data with Azure Disk Encryption

1 – What is Azure Disk Encryption :

Azure Disk Encryption is a service that helps you protect and preserve your data to meet your company’s security and compliance commitments.

Here are some key points about Azure Disk Encryption:

  • It uses Windows BitLocker functionality to provide volume encryption of operating system and data disks in Azure virtual machines.
  • Azure Disk Encryption integrates with Azure Key Vault to help you control and manage disk encryption secrets and keys.
  • Azure Disk Encryption is zone-resilient, in the same way as virtual machines.
  • If you’re using Microsoft Defender for the cloud, you’ll receive an alert if any of your virtual machines are not encrypted.
  • Azure Disk Encryption is supported on 1st generation and 2nd generation virtual machines.
  • Azure Disk Encryption is not available on De base and A-series virtual machines, or on those with less than 2 GB of memory.
  • Your key vault and virtual machines must be located in the same Azure region and subscription.

There are also other types of encryption available for your managed disks, including server-side encryption (SSE) and host-level encryption². Each type of encryption has its own characteristics, advantages and limitations.

2 – Mindmap to Enable Azure Disk Encryption :

Here are the steps to follow to Enable Azure Disk Encryption :

3 – Setup Azure Disk Encryption :

For all this, we must access to azure portal then create and configure a key safe for Azure Disk Encryption.

Here is the steps to follow :

  • Log in to your Azure account.
  • type “Key” in the search box to select “Key vaults”.

Select “Create” to start Key vaults Creation

  • in the “Basic” section, choose your resource group, a unique name for your KEY VAULTS, the location … etc. then select next.
  • In the “Access Configuration” section, make sure you select the “Azure disk encription for volume encryption” option, the select “Review + create

after the key vaults have been successfully created, start Azure CLI in PowerShell mode :

then type the following command to enable encryption :

az vm encryption enable -g '<ResourceGroupName>'  --name '<VM_Name>' --disk-encryption-keyvault '<Key_Vault_Name>'

This is my Command line after changing some parameters :

az vm encryption enable -g TESTRG1 --name VM1 --disk-encryption-keyvault GITNKV2

The command line will take couple of minutes to be executed depending of your disk capacity without loosing RDP connection and no need to reboot your machine.

As you can see in the picture below, both of two disks are encrypted :

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance