1
00:00:01,140 --> 00:00:06,300
Azure Disk Encryption, or ADE for short. ADE is simply a

2
00:00:06,300 --> 00:00:10,530
BitLocker solution for Windows VMs in Azure. Now,

3
00:00:10,530 --> 00:00:13,610
if you've got experience with Azure Resource Manager,

4
00:00:13,610 --> 00:00:17,020
you know that the way it handles virtual machines is pretty

5
00:00:17,020 --> 00:00:20,810
identical regardless of whether you're running Windows Server

6
00:00:20,810 --> 00:00:23,480
or an endorsed Linux distribution.

7
00:00:23,480 --> 00:00:28,640
So we can do ADE for Linux VMs in Azure as well, but note that

8
00:00:28,640 --> 00:00:31,560
there you're using the dm‑crypt library, of course,

9
00:00:31,560 --> 00:00:35,640
because BitLocker is specific only to Microsoft Windows.

10
00:00:35,640 --> 00:00:39,800
Now another wrinkle with Azure Disk Encryption is where to store

11
00:00:39,800 --> 00:00:44,960
the recovery key because your VMs don't have access to a TPM chip

12
00:00:44,960 --> 00:00:49,480
on a hard, you know, a hardware chip on a hardware motherboard like

13
00:00:49,480 --> 00:00:54,140
your servers may on‑prem, even from a virtual machine standpoint, a

14
00:00:54,140 --> 00:00:56,690
virtual TPM. No, it's different from that.

15
00:00:56,690 --> 00:01:00,740
Instead, your recovery key is going to be stored in Azure Key Vault,

16
00:01:00,740 --> 00:01:04,480
which I hope you're using anyway because it provides a really

17
00:01:04,480 --> 00:01:07,740
nice, safe way to store all of your secrets.

18
00:01:07,740 --> 00:01:08,270
In other words,

19
00:01:08,270 --> 00:01:12,390
secure string data, encryption keys, as well as digital certificates.

20
00:01:12,390 --> 00:01:17,910
And using Azure Resource Manager and the Key Vault API, you can easily

21
00:01:17,910 --> 00:01:20,690
fetch those and use them in your code,

22
00:01:20,690 --> 00:01:24,580
your solutions, etc. Now some additional points that may

23
00:01:24,580 --> 00:01:26,900
show up on your exam, kind of trivia,

24
00:01:26,900 --> 00:01:29,830
but, I mean, they have real‑world implications.

25
00:01:29,830 --> 00:01:33,490
Your Azure VMs need to be configured a bit differently

26
00:01:33,490 --> 00:01:35,680
from your on‑premises VMs. First of all,

27
00:01:35,680 --> 00:01:40,400
Azure VMs have to be configured to use 256‑bit recovery keys.

28
00:01:40,400 --> 00:01:44,440
You can do that in Group Policy. And if you're in a hybrid cloud with, say, an

29
00:01:44,440 --> 00:01:49,650
ExpressRoute circuit or a site‑to‑site VPN and you've domain joined those Azure

30
00:01:49,650 --> 00:01:55,790
Windows Server VMs, make sure that they're not getting GPOs pushed to them that

31
00:01:55,790 --> 00:02:00,310
specify TPM enforcement because, again, that's not part of the deal.

32
00:02:00,310 --> 00:02:03,730
That is to say you're just strictly using Azure Key Vault for

33
00:02:03,730 --> 00:02:07,490
your recovery key. Here I've created, again,

34
00:02:07,490 --> 00:02:13,220
a lucid chart diagram that shows you the Azure resources involved in an

35
00:02:13,220 --> 00:02:17,530
Azure Disk Encryption solution. So we can have, starting from left to

36
00:02:17,530 --> 00:02:22,410
right, looking at a Windows Server VM running in Azure. We've got one

37
00:02:22,410 --> 00:02:26,350
and only one operating system disk and zero or more data disks.

38
00:02:26,350 --> 00:02:31,000
Depending upon the VM size, different VM sizes support different maximum

39
00:02:31,000 --> 00:02:32,720
numbers of data disks.

40
00:02:32,720 --> 00:02:35,970
You'll see in the demo that when you enable Azure Disk Encryption,

41
00:02:35,970 --> 00:02:41,740
you can choose to encrypt only the OS disk or the OS disk and all data disks.

42
00:02:41,740 --> 00:02:46,760
But here's a really big exam alert and reality check for you. Microsoft

43
00:02:46,760 --> 00:02:51,620
doesn't have you go directly from the VM disks into Key Vault.

44
00:02:51,620 --> 00:02:55,950
There's an intermediary resource necessary called the disk encryption set, and

45
00:02:55,950 --> 00:03:00,760
basically, that's simply a resource that maps into Key Vault.

46
00:03:00,760 --> 00:03:01,840
In other words,

47
00:03:01,840 --> 00:03:08,290
you generate an encryption key, a 256 AES key, that will live in Key

48
00:03:08,290 --> 00:03:13,120
Vault, and the disk encryption set is mapped to that key. And then,

49
00:03:13,120 --> 00:03:19,640
when you enable ADE on one or more VMs, you can either share the same DES key,

50
00:03:19,640 --> 00:03:22,700
or you can create different disk encryption sets

51
00:03:22,700 --> 00:03:29,000
depending upon your needs and so on, but you can share one key for convenience here.