Create and configure virtual machines (VMs)
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What is Azure Disk Encryption?
Azure Disk Encryption uses:
- BitLocker → For Windows VMs
- dm-crypt → For Linux VMs
Both tools encrypt the disk at the operating system level.
ADE protects:
- OS Disk
- Data Disks
- Temporary Disk (only certain scenarios)
- Both Windows and Linux VMs
By enabling ADE, all disk data is stored in an unreadable (encrypted) form. Only authorized systems in Azure can decrypt it during boot.
2. Why is Azure Disk Encryption needed?
In an IT environment:
Administrators often create, back up, copy, or move VM disk files (VHDs). Without encryption, someone who gets the VHD could mount it and view the data.
With encryption:
- Sensitive information (application files, logs, source code, configuration files, credentials cached on disk) becomes protected.
- Compliance requirements (ISO, HIPAA, PCI-DSS) can be met.
- Only Azure systems with the correct encryption keys can unlock the disks.
3. How Azure Disk Encryption Works
ADE uses:
A. Encryption Keys
- Data Encryption Key (DEK)
- Automatically created
- Used to encrypt the disk contents
- Key Encryption Key (KEK)
- (Optional)
- Protects the DEK
- Stored in Azure Key Vault
B. Azure Key Vault
ADE requires Azure Key Vault to store encryption keys and secrets.
Minimum requirements for Key Vault:
- Must be in the same region as the VM.
- Must have Soft Delete enabled.
- Must have Purge Protection enabled.
- VM must have permission to access the Key Vault.
4. Azure Disk Encryption Options
Azure now provides two major encryption options:
Option 1: Server-Side Encryption (SSE) — Default
This applies automatically on all managed disks:
- SSE with platform-managed keys
- Or SSE with customer-managed keys (CMK)
SSE encrypts disks at rest, at the storage level.
Note:
SSE is now the recommended method by Microsoft for most workloads.
Option 2: Azure Disk Encryption (ADE) — Optional
Enables OS-level encryption using BitLocker or dm-crypt.
Use ADE when you require:
- OS-level encryption for compliance
- Encryption controlled by Key Vault
- Additional protection beyond SSE
5. Requirements for Azure Disk Encryption
A. For the Virtual Machine
- Must be a supported OS version
- Must use Managed Disks
- VM must not be in a failed or stopped (deallocated) state
B. For Azure Key Vault
- Soft Delete = Enabled
- Purge Protection = Enabled
- Access Policies:
- “Get”, “List”, “Wrap”, “Unwrap” for Keys
- “Get”, “List” for Secrets
C. Network Requirements
If using private endpoints or restricted networks:
- Key Vault must be reachable
- Azure AD endpoints must be reachable
6. How to Enable Azure Disk Encryption
You can enable ADE in multiple ways:
A. Through the Azure Portal
- Go to Virtual Machine
- Select Disks
- Choose Encryption
- Select:
- Azure Disk Encryption (ADE)
- Pick:
- Key Vault
- Key Encryption Key (optional)
- Click Save
Azure applies encryption in the background.
A VM restart may occur.
B. Using Azure CLI
For Windows:
az vm encryption enable \
--resource-group MyRG \
--name MyVM \
--disk-encryption-keyvault MyKeyVault
For Linux:
az vm encryption enable \
--resource-group MyRG \
--name MyVM \
--disk-encryption-keyvault MyKeyVault \
--volume-type ALL
C. Using PowerShell
Set-AzVMDiskEncryptionExtension `
-ResourceGroupName MyRG `
-VMName MyVM `
-DiskEncryptionKeyVaultUrl $kvUrl `
-DiskEncryptionKeyVaultId $kvResId
7. Monitoring Disk Encryption Status
Azure provides a simple check:
- Go to VM → Settings → Disks → Encryption
- View:
- OS Disk Encryption status
- Data Disk Encryption status
Or using CLI:
az vm encryption show --name MyVM --resource-group MyRG
8. What Happens After Encryption?
- The VM continues to operate normally
- Encryption keys remain in Key Vault
- Azure handles decryption automatically when the VM runs
- You cannot manually mount the disk without the keys
- Disk snapshots and images also stay encrypted
9. Limitations of Azure Disk Encryption (Exam Important)
- ADE requires Key Vault, while SSE does not.
- ADE requires a VM Agent inside the VM.
- ADE is not supported on:
- Ultra disks
- Shared disks
- Certain Linux distros
- Generation 2 VMs (in some older OS versions)
- ADE may cause longer provisioning times.
- Backup/restore operations use encrypted storage, but may need key access.
The exam often asks about these limitations.
10. When to Use ADE vs SSE (Common Exam Question)
| Requirement | Use SSE | Use ADE |
|---|---|---|
| Automatically encrypted storage disks | ✔️ | |
| Need OS-level encryption (BitLocker/dm-crypt) | ✔️ | |
| Need Key Vault integration | Optional | Required |
| Most modern workloads | ✔️ | |
| Strict regulatory/compliance | Maybe | ✔️ |
Best practice recommended by Microsoft:
Use SSE with CMK unless ADE is specifically required.
11. Common Exam Scenarios
Scenario 1: You need encryption controlled entirely by your organization.
- Use SSE with customer-managed keys
- Store keys in Key Vault
Scenario 2: You need OS-level encryption using BitLocker.
- Use Azure Disk Encryption (ADE)
Scenario 3: VM cannot access Key Vault due to firewall rules.
- Add network access rules, private endpoints, or service endpoints.
Scenario 4: Key Vault purge protection is disabled.
- ADE will fail to enable.
Scenario 5: VM uses unmanaged disks.
- ADE does not support unmanaged disks.
12. Best Practices for Azure Disk Encryption
- Use Managed Disks only.
- Store KEK (Key Encryption Keys) in Key Vault for maximum control.
- Enable Soft Delete and Purge Protection in Key Vault before deployment.
- Ensure network connectivity between VM and Key Vault.
- Use Azure Policy to enforce encryption across the subscription.
- Regularly rotate encryption keys.
Conclusion
Azure Disk Encryption (ADE) is a key part of securing virtual machines in Azure. For the AZ-104 exam, make sure you understand:
- What ADE does
- How it uses BitLocker and dm-crypt
- How Key Vault stores keys
- How to enable encryption
- Requirements and limitations
- Differences between SSE and ADE
Mastering these concepts ensures you can secure VMs properly in real IT environments and confidently answer exam questions.
