Files on an Azure storage accounts are encrypted using secure storage encryption by default. But once you are able to see the VHD within a storage account you are able to access the data. So you can use BitLocker to encrypt the virtual disk within Azure. The cryptographic keys for the encryption are going to be stored in the Azure Key Vault.
So the first thing we are going to need is the Key Vault. This can be added using the Azure marketplace.
A Key Vault allow you to store secrets and these secrets can be either cryptographic keys, application secrets or security certificates in order to encrypt a virtual disk. In order to encrypt the disk the key vault has to exist in the same region as the virtual machine itself.
Create a Key
In order to encrypt the disk, let’s create a new key. Click the Generate/Import button.
Now on to the encryption. We are going to use PowerShell within Cloud Shell to do this. Microsoft docs has a lot of information on the script required to encrypt the disks so a lot of the work has been done for us. We just need to modify it using our own values for the parameters.
$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgName `
-VMName "myVM" `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `