Encrypting Disks of Virtual Machines in Microsoft Azure

After completing the setup of a virtual machine in Azure, it is worth to have a look at the advisor recommendations. One of the recommendations I found was “Disk encryption should be applied on virtual machines“. But enabling disk encryption will have its price. And probably there is no need for action.

Note: This post is part of a series of postings describing several aspects I found noticeable or good to know when I recently created a virtual machine in Microsoft Azure. “Notes and Observations when setting up a Virtual Machine in Microsoft Azure” gives an overview of all parts of the series.

Encryption Preconditions

There are some preconditions / requirements your VM setup must meet to enable Azure Disk Encryption (ADE). Here’s a short list for Windows VMs:

  • VM size (eg. ADE does not support Basic, A-series VMs or VMs with less than 2GB)
  • Operating system (client: Windows 8 or later, server: Windows Server 2008 R2 or later)
  • Networking requirements
  • Group Policy requirements
  • Encryption key storage requirements

Azure Disk Encryption for Windows VMs” lists all details.
The same kind of list is available for Linux VMs too.
These links also contain links to guide to fulfill the requirements, so I will not present the details here.

When you create the key vault, make sure it’s region matches to the region of the VM. Otherwise, you will not be able to start the ADE.

Encrypt the Disk

Once all requirements are fulfilled, a simple Azure CLI statement will start the encryption (PowerShell can be used too). In fact, on Windows VMs, it starts BitLocker encryption for all volumes of the VM.

az vm encryption enable --resource-group group-name --name vm-name --disk-encryption-keyvault key-vault-name --volume-type all

az vm encryption disable ... disables encryption in case it is not needed / wanted any more.

Major Limitation: Limited Restore Options

Once disk encryption is enabled, the docs are clear what is possible and what is not:

Encrypted VMs can only be restored by restoring the VM disk as explained below. Replace existing and Restore VM aren’t supported.“(see “Restore an encrypted VM“).

This chapter also describes how to restore encrypted VMs.

Is it needed?

Well, I don’t think so, as long as we talk about managed disks. According to the docs, “Azure managed disks automatically encrypt your data by default when persisting it to the cloud. Server-side encryption (SSE) protects your data and helps you meet your organizational security and compliance commitments.

The only limitation is that temporary disks are currently not encrypted by SSE, because they are not managed disks. As Microsoft recommends not to put any user data on that disk (except TempDB for mission critical SQL Server workload, in case drive D is a SSD), I can’t see the need to encrypt it.

So in case you really really want to encrypt drive D, either use ADE with the --volume-type all parameter, or, for Windows user, encrypt it on the VM using BitLocker.

Links

Azure Advisor
Notes and Observations when setting up a Virtual Machine in Microsoft Azure
Azure Security Recommendations Reference Guide
Azure Disk Encryption for Windows VMs
Azure Disk Encryption for Linux VMs
Restore an encrypted VM
Server-side encryption of Azure managed disks