In previous article, we already have had a look at high level overview of how the encryption of Linux VM disks works and how to enable it using CLI.

Let’s find how it works for windows virtual machines.

How does it work ?

Azure uses Bitlocker feature of Windows 10 to provide volume encryption of data and operating systems disk. The disk encryption for windows machines is integrated with Azure Key Vault to help protect the encryption keys and secrets.

Disk encryption is not possible if memory of virtual machine is less than 2 GB. It is also not available for Basic A series of virtual machines.

There is no additional cost involved for enabling encryption on the disks.

From networking perspective, the virtual machine should be

• able to reach to Azure Active Directory endpoint, to get access token to Azure Key Vault
• able to connect to key vault endpoint to read/write the keys
• able to connect to storage account where the the VHD file is stored

How to apply it ?

Below is the example of Azure CLI script which creates the windows virtual machine and then enables the disk encryption for a windows virtual machine.

# To create the virtual machine
az vm create \
    --resource-group samplesRG\
    --name myWindowsVM \
    --image win2016datacenter \
    --admin-username azureuser \
    --admin-password myPassword12

# To create the key vault
az keyvault create --name "myKV"     \
      --resource-group "samplesRG"   \
      --location westeurope          \
      --enabled-for-disk-encryption 

# To enable the encryption
az vm encryption enable -g samplesRG \
     --name myWindowsVM                     \
     --disk-encryption-keyvault myKV

I hope this short article was useful to get you started on disk encryption. You can further refer this page in Azure documentation to get to know more on this topic.