Manage Disk Encryption Keys For Azure Virtual Machines

In this article, I will guide you to manage disk encryption keys for Azure virtual machine by using Azure Key Vault, Azure Key Vault for managing encryption keys that can be used for encrypting our data disk

You have to do the following steps to configure the disk encryption keys

1. Create an Azure Key Vault
2. Generate the Key
3. Give Control access to the key Vault
4. Create a Disk Encryption Set

Step 1. Create an Azure Key Vault

Azure Key Vault is a cloud-based key management solution that helps secure cryptographic keys, passwords, and certificates that can be stored in a vault.

Sign in to the Azure portal using your Microsoft credential at https://portal.azure.com/

Select All Services

Use the keywords to search the Key Vault

Select the Key Vault from the showing listed

Click Create

Provide the following information to create a key vault

• Subscription: Select a Subscription
• Resource Group: Create a Resource Group
• Key Vault Name: Provide the Unique name
• Region: Select the Azure Region
• Pricing Tier: Select the Pricing tier

Then leave the rest as default and then select Next

Select the Permission model: we need to configure the vault access policy

Then Select the resource access and then click Review + create

After validation, Check Click Create

Once deployment is complete, Go to recourse

Step 2. Generate a Key

Go to the Key Vault (Demo-AzKeyVault)

Select Keys and then click Generate/Import

Enter the Name and fill in the remaining requirements as you like

Then Click Create

Step 3. Control access to the key Vault

Assigned the role as "Owner" for the subscription

Go to the Key Vault, then select Access control (IAM)

Click +Add - Select Add role assignment

Select Role - Then Select a role to provide the permission

Click Member+Select member and use the keywords to search the Member to assign the permission

Then Select Next - and then Select Review + assign

Step 4. Create a disk encryption set

Go to All Services

Then Use the keywords to search the Disk Encryption Set

Select the Disk Encryption Set from the search list

Click Create disk encryption set

Provide the following information to create the disk encryption set

• Subscription: Select a Subscription
• ResourceGroup: select the same region as your key Vault
• Disk Encryption set name: Demo-DiskEncrptSet
• Region: select the same region as your key Vault
• Encryption Type: select "Encryption at-rest with a customer-managed key"
• Encryption key: select the Azure Key Vault and Key
• Key Vault: Select the Key Vault
• Key: Select the Key

Then Click Review + create

After the validation pass, Click Create

Once deployment is completed, Go to resources

"To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault Demo-AzKeyVault"

Click on this message to get the grand permissions

Then go the Azure Virtual Machine

Then Select your Virtual Machine - Click Disk - then choose the virtual disk, either OS disk or data disk.

In my case, I choose the OS disk

Click on the Encryption

Then select the key management and choose your customer-managed Key

Click Save, and it's now updating the disk with that new Key, and it could do the same thing with other disks. Now the disk is encrypted with a new customer-managed key