Enable BitLocker Encryption Key (BEK)

There’s two ways to enable BitLocker Encryption, either via PowerShell or through the Azure Portal. In this post, we will focus on using PowerShell. 

Note: For Server Core, you will need the additional files that the Azure Disk Encryption extension requires to enable BitLocker. These files relate to the BitLocker Encryption Hard Disk Configuration tool (bdehdcfg). Read more here.

From the Azure Portal:

  1. Select the VM > Disks blade > [Encryption]
  2. Select what to encrypt (OS only or OS and Data disks), Key vault and accept the prompt for VM reboot

Via Azure CLI:

az vm encryption enable -g Servers--name server1 --disk-encryption-keyvault /subscriptions/aaaa-bbbb-cccc-dddd-eeee-1234/resourceGroups/Vaults/providers/Microsoft.KeyVault/vaults/MyVaultName

Note: This option is handy if both the VM and Key vault are located in different resource groups.

Either via PowerShell or CloudShell, define the variables and run the following script below:

$SubscriptionID = aaaa-bbbb-cccc-dddd-eeee-12345
Login-AzureRmAccount -Subscription $SubscriptionID
$vmRgName = "Servers"
$VaultRgName = "Vault"
$vmName = "test" #Host Name
$aadClientID = "bla-bla-bla"
$aadClientSecret = "blablabla&*^" #Generate the key if you don’t have and follow the steps below.
$KeyVaultName = "MyVaultName"
$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $VaultRgName;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $VaultRgName -EnabledForDiskEncryption

Enable BitLocker for only for the OS volume:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $vmRgName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -skipvmbackup;

Enable BitLocker for both OS and Data volumes:

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $vmRgName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -skipvmbackup -VolumeType All;

Note: Enabling v2 of the AzureDiskEncryptionExtension doesn’t create a BEK volume.