1
00:00:00,440 --> 00:00:04,290
Now what's critical to understand here is that all of this discussion we're

2
00:00:04,290 --> 00:00:08,920
doing is not for BitLocker or whole volume encryption.

3
00:00:08,920 --> 00:00:14,540
The SSE encryption, and again, we can do that by going over to Disks,

4
00:00:14,540 --> 00:00:17,820
selecting the disk, and going to Encryption,

5
00:00:17,820 --> 00:00:22,020
this is simply the at rest encryption,

6
00:00:22,020 --> 00:00:25,880
when the VM is stopped and deallocated and the VHD is

7
00:00:25,880 --> 00:00:28,240
at rest in the Azure datacenters.

8
00:00:28,240 --> 00:00:32,570
So if we were to do an export and download this disk to our local computer,

9
00:00:32,570 --> 00:00:35,140
it would be unencrypted.

10
00:00:35,140 --> 00:00:37,990
Now let's step back, let's go back to Disks,

11
00:00:37,990 --> 00:00:41,290
and this time let's go to Additional settings on the toolbar.

12
00:00:41,290 --> 00:00:44,600
We have Azure Disk Encryption.

13
00:00:44,600 --> 00:00:49,270
This is the BitLocker drive encryption for Azure VMs,

14
00:00:49,270 --> 00:00:53,600
and this one, by contrast, you know this if you've used BitLocker,

15
00:00:53,600 --> 00:00:56,890
the VM has to be awake and online and Windows needs

16
00:00:56,890 --> 00:00:59,940
to be active in order to do this.

17
00:00:59,940 --> 00:01:02,620
We choose whether we're going to encrypt just the OS

18
00:01:02,620 --> 00:01:05,250
disk or the OS and data disks, and this,

19
00:01:05,250 --> 00:01:06,050
in fact,

20
00:01:06,050 --> 00:01:10,610
is going to be full volume encryption that even if you exported

21
00:01:10,610 --> 00:01:13,180
the disk from the portal to your local machine,

22
00:01:13,180 --> 00:01:16,550
you would need that key to unlock the disk.

23
00:01:16,550 --> 00:01:18,840
Important point to consider.

24
00:01:18,840 --> 00:01:23,300
So, speaking of which, we get the key by storing it in Key Vault.

25
00:01:23,300 --> 00:01:28,380
We can either grab an existing key, or we can create a new one.

26
00:01:28,380 --> 00:01:33,400
I'm going to grab acq‑bitlocker‑key, which is a key I've used in the past.

27
00:01:33,400 --> 00:01:35,050
In Azure Key Vault,

28
00:01:35,050 --> 00:01:38,870
you can version the different artifacts that you store in there.

29
00:01:38,870 --> 00:01:41,770
You can store encryption keys, passwords,

30
00:01:41,770 --> 00:01:44,010
or just what are called secrets, basically,

31
00:01:44,010 --> 00:01:47,210
secure string data, as well as certificates.

32
00:01:47,210 --> 00:01:53,900
And when you replace a version, all of those versions are hash computed,

33
00:01:53,900 --> 00:01:57,340
so they're identified with a cryptographic hash,

34
00:01:57,340 --> 00:02:00,640
and that's how you in Azure reference those versions.

35
00:02:00,640 --> 00:02:01,230
See?

36
00:02:01,230 --> 00:02:03,470
So this is all I have to do now.

37
00:02:03,470 --> 00:02:05,550
But from a troubleshooting standpoint,

38
00:02:05,550 --> 00:02:08,570
I'm going to want to make sure that I have privilege to be

39
00:02:08,570 --> 00:02:11,340
able to read out this key from Key Vault.

40
00:02:11,340 --> 00:02:15,000
So if I hit Save here, then the machine is going to restart.

41
00:02:15,000 --> 00:02:17,240
That's something else you want to think about.

42
00:02:17,240 --> 00:02:22,140
It will restart and apply whole volume encryption to that machine.

43
00:02:22,140 --> 00:02:23,520
Important stuff.

44
00:02:23,520 --> 00:02:25,850
Before we go to the next piece here,

45
00:02:25,850 --> 00:02:30,530
let me just jump over to Key Vault and just mention as we drive

46
00:02:30,530 --> 00:02:35,310
by in Key Vault that Azure Key Vault has a number of mechanisms

47
00:02:35,310 --> 00:02:36,980
to protect you and your business,

48
00:02:36,980 --> 00:02:42,580
particularly against a rogue or accidental deletion of a key.

49
00:02:42,580 --> 00:02:43,260
See what I mean?

50
00:02:43,260 --> 00:02:47,630
If we were to select this key and we have at least read/write privileges,

51
00:02:47,630 --> 00:02:49,480
we can delete this key,

52
00:02:49,480 --> 00:02:53,730
and that could potentially put us in a world of hurt with any related

53
00:02:53,730 --> 00:02:57,040
Windows Server Azure VMs that are using the key.

54
00:02:57,040 --> 00:02:59,350
Now notice that you can back up these keys.

55
00:02:59,350 --> 00:03:02,000
However, the backups are encrypted to the Key Vault,

56
00:03:02,000 --> 00:03:09,000
so that's of relatively limited use. Let me go into the current version just to show you what it looks like here.