You are currently viewing Azure Disk Encryption For Linux Virtual Machines

Azure Disk Encryption For Linux Virtual Machines

You can use Azure portal or Azure CLI to create the Linux virtual machines. You can further protect the data on virtual machine disks using disk encryption. This article will provide high level overview of disk encryption for Linux virtual machines.

You may want to get Azure Access if you do not have it already for following some of the steps.

How does it work ?

For Linux virtual machines, Azure uses DM-Crypt feature of Linux to provide encryption for both data and OS disks. The DM-Crypt is Linux based transparent disk encryption system.

Azure currently supports disk encryption for only subset of Azure endorsed Linux distributions. There are also some minimum requirements which the virtual machine needs to fulfill.

From costing perspective, there is no additional cost for encrypting the Linux virtual machine disks.

For protecting the encryption keys you have two options

  • you can use Azure key vault to store the encryption keys
  • you can import or generate your keys in hardware security modules (HSMs)

These keys are used for encrypting and decrypting the disks. You have control over their usage and you can always audit it.

Azure Active Directory service principle provides secure mechanism for issuing these keys.

How to apply it ?

Below is Azure CLI script which creates a virtual machine, creates a key-vault and enables the disk encryption.

# to create the virtual machine
az vm create \
    --resource-group "sampleRG" \
    --name "myUbuntuVM" \
    --image "Canonical:UbuntuServer:16.04-LTS:latest" \
    --size "Standard_D2S_V3"\
    --generate-ssh-keys

# to create the key vault
az keyvault create                 \
      --name "myownkeyvault"    \
      --resource-group "sampleRG"  \
      --location "westeurope"      \
      --enabled-for-disk-encryption

# to enable the disk encryption
az vm encryption enable -g "sampleRG" \
    --name "myUbuntuVM"               \
    --disk-encryption-keyvault "myownkeyvault"


If you want to enable it using the Azure portal, you can go to your virtual machine resource. You should be able to see Disks option in the left pane. If you select Disks, a new dialog will open on right side which will have Encryption button at the top.

This was a short article to provide high level overview on how you can enable the disk encryption on Linux virtual machine. If you are interested to know more, please check the MSDN article.

Leave a Reply