Task: Encrypt an Azure VHD

Video: Azure Disk Encryption

Estimated time: 30 minutes

Goal

In this task you will provision a new virtual machine and a new key vault. You will then encrypt the OS disk for the virtual machine, storing the disk encryption keys in key vault.

Pre-requisites

Azure subscription
Remote Desktop Service (RDP) client*

*Note: There are RDP clients for every platform. If you do not have an RDP client and cannot install one, it will have minimal impact on this task.

Requirements

Provision the virtual machine and key vault
Encrypt the virtual machine disk
Verify encryption

Requirement 1: Provision the virtual machine and key vault

You must first provision a Windows virtual machine and a key vault. To complete this requirement use the following settings:

Virtual machine:

Setting	Value
Resource group	task-diskencrypt
Name	encrypt-vm
OS	Windows
Admin user	student
Admin pwd	<strong password>
Image	Windows Server 2016 Datacenter
Size	Standard_D2_V3
Public inbound ports	RDP (3389)

Key vault:

Setting	Value
Resource group	task-diskencrypt
Name	<unique name>
Tier	Standard
Access policy	Disk Encryption

Requirement 2: Encrypt the virtual machine disk

Now you will encrypt the OS disk volume using a key encryption key (KEK). You will generate the KEK within the key vault then use the KEK when encrypting the OS disk volume. Use the following steps to complete this requirement:

Retrieve required key vault properties:
Key vault resource id
Key vault Url
Create a KEK named kek in the key vault. You will need the following KEK properties:
KEK Url
Encrypt the OS disk using the key vault and the KEK

Requirement 3: Verify encryption

Finally, you will verify that the virtual machine OS disk is encrypted. You will find the disk encryption key. You will then delete the key and attempt to restart the VM. Take the following steps to complete this requirement:

Open an RDP session with the encrypt-vm virtual machine.
Open the Disk Management applet and verify that the OS disk is Bitlocker encrypted.
Close the RDP session
Navigate to the key vault in the Azure portal
View the keys and secrets. The KEK will be under keys and the disk encryption key will be under secrets.
Backup and then delete the disk encryption key.
Restart the encrypt-vm virtual machine. This should fail.
Restore the disk encryption key.
Restart the encrypt-vm virtual machine. This should now succeed.

Clean up

Delete the task-diskencrypt resource group.

Solution

Having trouble completing this task? View the demonstration video to see how to do it.