Azure Disk Encryption for Linux and Windows Virtual Machines-Public Preview Now Available


DOWNLOAD THE AZURE DISK ENCRYPTION WHITE PAPER

In this blog post, Devendra Tiwari, Principal Program Manager in the Azure Security Engineering team, let’s you know about a great new security capability in Microsoft Azure.

Today we are announcing public preview availability of Azure Disk Encryption for Windows and Linux IaaS VMs!

Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux IaaS VM disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide OS and data disk encryption to help protect and safeguard your data. It also can help you meet organizational security and compliance commitments.

The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.

Encryption Scenarios

The Azure Disk Encryption solution supports the following 3 customer encryption scenarios:

  • Encryption of new IaaS VMs created from Customer Encrypted VHD and encryption keys
  • Encryption of new IaaS VMs created from the Azure Gallery
  • Encryption of existing IaaS VMs already running in Azure

In the Public Preview release, the Azure Disk Encryption solution supports the following for IaaS VMs when enabled in Microsoft Azure:

We are excited to have this very important feature available for public preview. The Azure Disk Encryption whitepaper paper provides detailed guidance on how to use the Azure Disk Encryption features, including key scenarios and the user experiences.

And for a quick start experience on how to use PowerShell to configure Azure Disk Encryption check out Explore Azure Disk Encryption with Azure PowerShell and Explore Azure Disk Encryption with Azure PowerShell – Part 2.

NOTE:
Please use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell version 1.2.1. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0

Your input is very important to us and we use it to evolve the service so that it gives you the features and capabilities you need. Please provide feedback and questions by visiting the Azure Disk Encryption MSDN forum.

If you don’t have an Azure subscription yet, it’s easy to get an Azure free trial so that you can test Azure Disk Encryption.

Give Azure Disk Encryption a try and let us know what you think!

Frequently Asked Questions with Answers

Q: What user experiences are available with Azure Disk Encryption?
A: Azure Disk Encryption public preview supports Azure Resource Manager templates, Azure PowerShell, Azure CLI. This gives you a lot of flexibility in that you have three different options for enabling disk encryption for your IaaS VMs. More details on the user experience and step by step guidance is available in the Azure Disk Encryption whitepaper.

Q: How much does Azure Disk Encryption cost?
A: There is no charge for encrypting VM disks with Azure Disk Encryption during the public preview. We expect this to continue to be the case after Disk Encryption is generally available. However, pricing is subject to change based on market and competitive landscape.

Q: What virtual machine tiers can I use Azure Disk Encryption with?
A: Azure Disk Encryption is available only on Standard Tier virtual machines, including A, D, and G Series VMs. It is not available on Basic Tier VMs.  DS Series (premium storage) VM support will be available come post public preview

Q: How can I get started using Azure Disk Encryption?
A: Customers can learn how to get started by reading the Azure Disk Encryption whitepaper

Q: Does Azure Disk Encryption integrate with Azure Key Vault?
A: Yes, Azure Disk Encryption uses Azure Key Vault as its encryption key store to safeguard secrets and keys in your Key Vault subscription

Q: Does Azure Disk Encryption enable a “bring your own key” (BYOK) capability?
A: Yes, you can supply your own key encryption keys. Those keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more details on the key encryption key support scenarios, see the Azure Disk Encryption whitepaper

Q: Can I encrypt both boot and data volumes with Azure Disk Encryption?
A: Yes, you can!

Q: What Azure regions is Azure Disk Encryption available in?

A: Azure Disk Encryption is available in all public Azure regions. The Key Vault instance where the keys are stored must be in the same region as the encrypted VM.

Q: Where can I get more information on how to use PowerShell for configuring Azure Disk Encryption?

A: We have some great articles on how you can perform basic Azure Disk Encryption tasks, as well as more advanced scenarios. For the basic tasks, check out Explore Azure Disk Encryption with Azure PowerShell. For more advanced scenarios, see Explore Azure Disk Encryption with Azure PowerShell – Part 2 

Q: What version of Azure PowerShell is supported by Azure Disk Encryption?

A: Use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell version 1.2.1. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0.

 

Devendra Tiwari

Principal Program Manager, Azure Security Engineering

image

Comments (11)

  1. Jerry says:

    Does this mean the BitLocker is now supported within Hyper-V virtual machines? If not, how is Azure doing this since the underlying framework is Hyper-V?

    From Technet: technet.microsoft.com/…/hh831507.aspx

    Does BitLocker support virtual hard disks (VHDs)?

    BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2.

    Thanks

  2. Azure takes advantage of Azure KeyVault to enable this scenario. Yes, for Azure virtual machines, you can BitLocker both the system drive (boot disk) and any data drives.

  3. Jerry says:

    Can Azure KeyVault be used for non-Azure BitLocker encrypted Hyper-V Virtual Machines?

    Thanks

  4. No – virtual machines and their VHD files have to be hosted on Azure IaaS.

  5. What versions of SLES (if any) are supported today for this feature? I’ve tried the SLES 11 SP3 for SAP CAL and SLES 12. Both attempts fail encrypting with message “VolumeType is not supported”. Thanks!

  6. swapnil sonawane says:

    Hi ,

    I have used BitLocker to encrypt the data drive on my window server 2012 R2. Do I need to purchase the Key Vault? Is this compulsory?

    Thanks,
    Swapnil

    1. Hi Swapnil –
      Is the virtual machine running in Azure? You do not need to use Key Vault, but it’s a more secure solution. You do need to use Key Vault for the OS drive, though.
      Thanks!
      Tom

  7. Craig says:

    If you Enable Disk Encryption on your Azure VM’s, you will not be able to set them up for Azure Backup 🙂

    Disk Encryption is good, but still missing a lot of features IMO

    1. Hey Craig – we’re continuing to improve the service – stay tuned!

  8. David Sampson says:

    Is it possible to use third party Key Vault technologies like Symantec key vault with this?

    1. You can bring your own key – but at this time, we won’t reach back to your on-premises site.
      What kind of scenarios are you looking at?
      Thanks! -Tom

Skip to main content