WHY US

What's Hyperconvergence?

Why Hyperconvergence?

Who's Virtual SAN?

What's Software-Defined Storage?

Why Software-Defined Storage?

Who's HCI Appliance?

What's All-Flash Exactly?

Why All-Flash Exactly?

Who's Virtual Tape Library?
HCI Appliance
Modern data center building block. A powerful, easy-to-use hyperconverged platform

Request a quote Request a quote

Virtual HCI Appliance
Exact set of software components powering our HCI appliance, pre-packaged and ready to install on your own hardware

Book a demo Book a demo

Virtual HCI Appliance Free
Self-supported, KVM-based version of StarWind Virtual HCI Appliance, available for free

Virtual SAN
“Software replaces hardware” for SAN, application that eliminates a requirement in a physical shared storage

Download Download

Virtual SAN Free
Experience all the essential features in a self-supported, free version of StarWind VSAN

VTL Appliance
Immutable, ransomware-proof backup and archive target

Virtual Tape Library
“Software replaces hardware” for tape libraries

Virtual Tape Library Free
All the essentials features of StarWind VTL, for free

NVMe-oF Initiator
High-performance NVMe over Fabrics initiator for Windows

NVMe-oF Initiator Free
Essential features of NVMe-oF Initiator, available at no cost

Backup Appliance
All-in-one choice to safeguard your mission-critical data.

Free tools

V2V Converter / P2V Converter

RDMA Performance Benchmark

Deduplication Analyzer

Tape Redirector

RAM Disk
Pricing

Our Vision

Licensing Models
Resources

Use Cases

Webinars

White Papers

Best Practices

Success Stories

Release Notes

Technical Papers
Blog
SUPPORT

Community Forums

FAQ

Knowledge Base

Product Lifecycle

StarWind VSAN Help

Product Security

StarWind V2V Help

System Requirements

Contact Support

If you encounter any challenges or technical issues with StarWind products, we encourage you to reach our Technical Support department.

Submit Ticket
Partners

OEM Solutions

Become a Reseller

Find a Reseller

VAR Portal
About us

Management

Certifications

Events

Our Customers

Press Releases

Product Reviews

Contact us
- - DE
  - ES
Book a demo

Home
Blog
Encrypt your Azure VM with Azure Disk Encryption

StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Find out how HCI cuts down virtualization costs and complexity

Encrypt your Azure VM with Azure Disk Encryption

September 8, 2021
5 min read

Romain Serre

IT and Virtualization Consultant. Romain is specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.

IT and Virtualization Consultant. Romain is specializing in Microsoft technologies such as Hyper-V, System Center, storage, networking, and MS Azure. He is a Microsoft MVP and MCSE in Server Infrastructure and Private Cloud.

When you deploy virtual machines in Microsoft Azure, they come without Bitlocker enabled. That can be a problem regarding your corporate security policy. To encrypt your Windows Azure VM (or Linux with DM-Crypt), we can leverage Azure Disk Encryption (ADE). ADE provides volume encryption of Azure VM through Bitlocker or DM-Crypt.

Because there is no TPM, ADE requires a secret to encrypt data. This secret comes from Azure Key Vault which is a cloud service for securely storing and accessing secrets. To protect this secret, you can generate a key from Azure Key Vault. You can also bring your own key via your own HSM device. In this topic we’ll see how to configure both services to encrypt a Windows Azure VM.

N.B: In this topic you will see that all the configuration is easy. However, I recommend you take your time to configure Azure Key Vault especially the key part. All the security is based on the key, and I heavily recommend you to bring your own key.

Configure Azure Key Vault

First, we need to set up Azure Key Vault to allow access to Azure Disk Encryption. To do so, navigate to your Azure Key Vault and select Access Policies.

In Access Policies, be sure that Azure Disk Encryption for volume encryption is enabled.

Next, we need a key. For that navigate to Keys in Azure Key Vault. Select Generate / Import.

In this menu you have two options: either you generate a key that will be known by Microsoft, or you can import your own key that is known only by your corporation. For sensitive information, I recommend importing your own key.

For this example, I generate a key. In the documentation (Enable Azure Disk Encryption for Windows VMs – Azure Virtual Machines | Microsoft Docs), Microsoft indicates that the key should be RSA 2048 bits.

At this point, Azure Key Vault is configured for ADE.

Enable Azure Disk Encryption

To enable Azure Disk Encryption, your Azure VM must be power on. Navigate to your Azure VM, then select Disks. Next select Additional settings.

In additional settings, select the disk you want to encrypt and then select the key vault, the key and the version.

As soon as you click on OK in Azure Disk Encryption settings, Bitlocker is enabled in the Azure VM and the disk is encrypting.

Hey! Found Romain’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?

Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager

Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!