This chapter covers Azure Disk Encryption (ADE), which uses BitLocker on Windows and dm-crypt on Linux to protect data at rest on Azure virtual machine disks. For the AZ-104 exam, ADE is a key topic under Compute (Objective 3.1) and appears in approximately 5-10% of questions, often in scenarios involving compliance, security, and key management. Understanding ADE's integration with Azure Key Vault, encryption at rest vs. host-based encryption, and prerequisites is critical for passing the exam.
Jump to a section
Imagine a hotel where each guest room has a personal safe deposit box. The hotel manager (Azure Key Vault) holds a master key that can open any box, but each guest (VM) has a unique key for their own box. When a guest checks in (enables encryption), the manager creates a new safe deposit box (disk encryption key) and gives the guest a copy of the key (wraps the key with a Key Encryption Key). The guest stores their valuables (data) in the box, which is locked with a padlock (BitLocker/dm-crypt). The manager keeps a master list of all keys, but each key is stored in a sealed envelope (Key Vault) that only the manager can open. If a guest loses their key, the manager can issue a new one using the master list (key rotation). However, if the manager's office is destroyed (Key Vault deleted), all boxes become permanently locked. In Azure Disk Encryption, the encryption keys are stored in Azure Key Vault, and the VM uses them to encrypt/decrypt data on the fly. Without access to Key Vault, the VM cannot boot because it cannot decrypt the OS disk. The hotel manager never sees the contents of the boxes—only the guest does. Similarly, Azure never sees the plaintext data; encryption and decryption happen inside the VM using the keys retrieved from Key Vault.
What is Azure Disk Encryption?
Azure Disk Encryption (ADE) is a capability that helps protect your data at rest by encrypting the OS and data disks of Azure virtual machines (VMs). It uses industry-standard encryption technologies: BitLocker for Windows VMs and dm-crypt for Linux VMs. ADE is integrated with Azure Key Vault (AKV) to help you control and manage the disk encryption keys and secrets. This ensures that even if an attacker gains access to the physical disk, they cannot read the data without the encryption keys.
Why ADE Exists
Data at rest encryption is a common compliance requirement (e.g., HIPAA, PCI DSS). While Azure Storage Service Encryption (SSE) encrypts data at the storage platform level, ADE provides additional protection by encrypting the data within the VM itself. This is important because SSE protects data while stored in the Azure storage backend, but ADE protects data inside the VM's virtual hard disk (VHD) files, including temporary disks and cached data. ADE also ensures that the VM's boot volume is encrypted, which SSE does not do by default.
How ADE Works Internally
When you enable ADE on a VM, the following steps occur: 1. The Azure Disk Encryption extension is installed on the VM. 2. The extension generates or retrieves an encryption key from Azure Key Vault. 3. For Windows VMs, BitLocker is configured to use the key to encrypt the OS and data disks. For Linux VMs, dm-crypt (via cryptsetup) is used. 4. The encryption key is wrapped (encrypted) by a Key Encryption Key (KEK) if you choose to use one. The wrapped key is stored in Azure Key Vault. 5. The VM's disks are encrypted at the block level. The encryption happens transparently: data is encrypted when written to disk and decrypted when read, with minimal performance impact. 6. After encryption, the VM can only boot if it can access the key from Key Vault. The VM's Azure AD identity (or a managed identity) is used to authenticate to Key Vault.
Key Components, Values, and Defaults
BitLocker: Windows native full-disk encryption. Uses AES 256-bit encryption by default.
dm-crypt: Linux kernel-level disk encryption subsystem. Uses LUKS (Linux Unified Key Setup) format with AES 256-bit by default.
Azure Key Vault: Required for ADE. Stores the Disk Encryption Key (DEK) and optionally a Key Encryption Key (KEK).
Disk Encryption Key (DEK): The symmetric key used to encrypt the disk. It is protected by being wrapped with a KEK or stored as a secret.
Key Encryption Key (KEK): An asymmetric key stored in Key Vault (RSA 2048-bit or higher) used to wrap the DEK. Using a KEK adds an extra layer of security and is required for key rotation scenarios.
Azure Disk Encryption Extension: The VM extension that performs the encryption. For Windows: AzureDiskEncryptionForWindows. For Linux: AzureDiskEncryptionForLinux.
Prerequisites:
VM must be in a supported region (all public regions).
VM must be backed by Azure Resource Manager (Classic not supported).
VM must have a standard SKU (not basic).
A Key Vault must exist in the same region and subscription as the VM.
The Key Vault must have the EnabledForDiskEncryption access policy set.
The VM must have a managed identity or the user must have appropriate RBAC permissions to access the Key Vault.
Supported OS: Windows Server 2008 R2 and later, Windows 10/11, Ubuntu, CentOS, RHEL, SUSE, and others. Check the latest documentation for exact versions.
Unsupported: Basic tier VMs, VMs without managed disks (unmanaged disks require different approach), and VMs with certain marketplace images (e.g., some Linux distributions require manual steps).
Configuration and Verification Commands
To enable ADE on a VM, you can use Azure CLI, PowerShell, or the Azure portal. Here are key commands:
Enable ADE on Windows VM (Azure CLI):
az vm encryption enable \
--resource-group MyResourceGroup \
--name MyVM \
--disk-encryption-keyvault MyKeyVault \
--key-encryption-key MyKEK \
--volume-type All--volume-type can be OS, Data, or All. Default is All.
--key-encryption-key is optional; if omitted, only a DEK is used.
Enable ADE on Linux VM:
az vm encryption enable \
--resource-group MyResourceGroup \
--name MyLinuxVM \
--disk-encryption-keyvault MyKeyVault \
--key-encryption-key MyKEK \
--volume-type All \
--encrypt-format-all--encrypt-format-all is required for Linux to format and encrypt all data drives. For OS drive encryption, it is optional but recommended.
Check Encryption Status:
az vm encryption show --resource-group MyResourceGroup --name MyVMOutput shows status (e.g., EncryptionInProgress, Succeeded, Failed).
Using PowerShell:
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName MyVM -DiskEncryptionKeyVaultUrl $vaultUrl -DiskEncryptionKeyVaultId $vaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $vaultId -VolumeType AllInteraction with Related Technologies
Azure Storage Service Encryption (SSE): SSE encrypts data at the storage layer (Azure managed disks) using platform-managed keys. ADE encrypts within the VM, so both can be used together for defense in depth. The exam may ask about the difference: SSE is transparent to the VM, while ADE requires VM extension and key management.
Azure Key Vault: ADE relies on Key Vault to store encryption keys. The Key Vault must have EnabledForDiskEncryption set. If using a KEK, the Key Vault must also support RSA keys.
Managed Disks: ADE works with managed disks. For unmanaged disks (storage accounts), you must use a different method (Azure Disk Encryption for classic VMs is deprecated).
Azure Backup: Encrypted VMs can be backed up using Azure Backup, but you must grant Backup permissions to access the Key Vault. The backup service needs the Get and UnwrapKey permissions on the KEK.
Azure Site Recovery: Encrypted VMs can be replicated to another region. You must configure the target Key Vault and ensure proper access.
Azure Disk Encryption and Confidential Computing: Confidential VMs use a different encryption mechanism (vTPM and secure enclaves). ADE is not supported on confidential VMs.
Performance Considerations
ADE introduces a small CPU overhead for encryption/decryption operations, typically 5-10% depending on workload. For I/O-intensive applications, consider using Premium SSDs with host-based encryption (SSE + platform-managed keys) instead, which has lower overhead. ADE also requires that the VM has enough memory to handle the encryption process; during initial encryption, the VM may experience higher CPU usage.
Limitations and Edge Cases
Cannot encrypt already encrypted disks: If a disk is already encrypted with ADE, you cannot re-encrypt without disabling first.
Disabling encryption: You can disable ADE using az vm encryption disable, but this does not decrypt the disk; it removes the extension and key association. To fully decrypt, you must use az vm encryption disable --volume-type Data and then manually decrypt (not straightforward).
VM resize: Encrypted VMs can be resized, but the new size must support the encryption extension.
Snapshot and restore: You can take snapshots of encrypted disks, but they remain encrypted. When creating a new VM from a snapshot, you must provide access to the same Key Vault.
Cross-region Key Vault: The Key Vault must be in the same region as the VM. You cannot use a Key Vault from a different region.
Linux OS disk encryption: Not all Linux distributions support OS disk encryption. For example, Ubuntu 16.04+ and RHEL 7.2+ support it, but some older versions may only support data disk encryption.
Create Key Vault with Access Policy
First, create an Azure Key Vault in the same region and subscription as your VM. Set the access policy to enable disk encryption: `az keyvault update --name MyKeyVault --resource-group MyResourceGroup --enabled-for-disk-encryption true`. This allows the Azure Disk Encryption service to retrieve keys. Optionally, create a Key Encryption Key (KEK) as an RSA key in the Key Vault. The KEK is used to wrap the Disk Encryption Key (DEK), providing an extra layer of security. The Key Vault must also have the appropriate permissions for the user or managed identity that will enable encryption.
Assign Managed Identity to VM
The VM needs a system-assigned managed identity to authenticate to Key Vault. If the VM does not already have one, enable it: `az vm identity assign --resource-group MyResourceGroup --name MyVM`. This creates a service principal in Azure AD for the VM. Then, grant this identity the required permissions on the Key Vault: `az keyvault set-policy --name MyKeyVault --object-id <identity-principal-id> --key-permissions get unwrapKey wrapKey --secret-permissions get`. Without this step, the VM cannot access the encryption keys and the encryption will fail.
Install Azure Disk Encryption Extension
The Azure Disk Encryption extension is installed automatically when you run the enable command. For Windows, the extension is `AzureDiskEncryptionForWindows`; for Linux, it is `AzureDiskEncryptionForLinux`. The extension downloads the necessary binaries (e.g., BitLocker or cryptsetup) and configures them. During installation, the extension communicates with the Azure fabric controller to retrieve the encryption settings. The extension also validates that the VM meets prerequisites (e.g., OS version, disk size). If the extension fails, check the VM's boot diagnostics and extension logs in `/var/log/azure/` (Linux) or `C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.AzureDiskEncryptionForWindows` (Windows).
Generate or Retrieve Encryption Key
The extension generates a random 256-bit Disk Encryption Key (DEK) for each volume to be encrypted. If a KEK is specified, the DEK is wrapped (encrypted) with the KEK using RSA-OAEP. The wrapped DEK is then stored as a secret in Key Vault. If no KEK is used, the DEK is stored directly as a secret. The DEK is never stored on the VM disk; it is only held in memory during encryption/decryption. The extension also creates a BitLocker recovery key (Windows) or LUKS header (Linux) that is backed up to Key Vault.
Encrypt the Disks
The extension uses BitLocker (Windows) or dm-crypt (Linux) to encrypt each volume. For Windows, BitLocker encrypts the entire volume using AES 256-bit encryption. For Linux, dm-crypt creates a LUKS container on the disk and encrypts it. The encryption process is performed in the background while the VM remains online. For OS disks, a reboot may be required to complete the encryption. During encryption, the disk I/O performance may degrade. The extension monitors progress and reports status to Azure. After encryption, the VM can only boot if it can retrieve the DEK from Key Vault. The VM's boot process now includes a step where the Azure Host retrieves the encryption key from Key Vault and passes it to the VM's bootloader.
Verify Encryption Status
After encryption completes, verify the status using `az vm encryption show`. The output will show `Succeeded` for each volume. You can also check inside the VM: on Windows, run `manage-bde -status`; on Linux, run `lsblk` and look for `crypt` devices. The Azure portal will show 'Encryption enabled' on the VM's disks. If encryption fails, common causes include: Key Vault not enabled for disk encryption, missing managed identity permissions, unsupported VM size, or insufficient disk space. Check the extension logs for detailed error messages.
Enterprise Scenario 1: Healthcare Compliance (HIPAA)
A healthcare provider must encrypt all patient data at rest on Azure VMs to comply with HIPAA. They deploy a Windows Server 2019 VM running a SQL Server database. They enable ADE on the OS and data disks using a KEK stored in a dedicated Key Vault with access policies restricted to the DBA team. They also enable Azure Backup for the VM, granting the Backup service the required permissions to access the Key Vault. A common issue they face is that the Backup service fails because the Key Vault's firewall is enabled and blocks the Backup service's IP. Solution: Disable the Key Vault firewall or add the Backup service's trusted IP range. They also set up key rotation for the KEK every 6 months using Key Vault's key rotation policy.
Enterprise Scenario 2: Financial Services with Multi-Region DR
A financial institution uses Azure Site Recovery (ASR) to replicate encrypted VMs to a secondary region for disaster recovery. They enable ADE on a Linux VM running a trading application. They configure ASR to use a separate Key Vault in the DR region that mirrors the keys from the primary region. The challenge is that ASR does not automatically replicate the Key Vault keys. They must manually export and import the KEK and DEK to the DR Key Vault using Azure CLI. They also need to ensure that the DR VM's managed identity has access to the DR Key Vault. A misconfiguration here can cause the DR VM to fail to boot after failover. They test the failover quarterly to validate that the encryption keys are accessible.
Scenario 3: Cost Optimization with Encryption
A startup uses ADE to encrypt data disks on a Linux VM running a web server. They choose not to use a KEK to reduce costs (KEK operations incur additional Key Vault transaction costs). However, they later need to rotate the DEK for compliance. Without a KEK, key rotation is more complex because they must decrypt and re-encrypt the disk. They learn that using a KEK allows them to rotate the KEK without touching the DEK, making rotation simpler. They also discover that ADE is not supported on basic-tier VMs, so they had to upgrade to a standard tier, increasing costs by 20%. They now consider using host-based encryption (SSE with platform-managed keys) as a lower-cost alternative for non-sensitive data.
AZ-104 Exam Focus on Azure Disk Encryption
The AZ-104 exam tests ADE under Objective 3.1: 'Implement and manage virtual machines'. Specifically, you need to know:
How to configure disk encryption (ADE vs. SSE vs. host-based encryption).
Prerequisites for ADE: Key Vault must be enabled for disk encryption, VM must have managed identity, supported OS, standard SKU.
How to enable encryption using Azure CLI, PowerShell, or portal.
How to verify encryption status.
The difference between ADE and SSE: ADE encrypts within the VM, SSE encrypts at the storage layer.
Common Wrong Answers and Traps
'ADE encrypts data at the storage layer' – This is false. SSE encrypts at the storage layer; ADE encrypts inside the VM. Candidates confuse the two because both involve encryption.
'You must use a KEK' – KEK is optional. ADE works with just a DEK. The exam may present a scenario where a KEK is not required.
'ADE works with unmanaged disks' – False. ADE only supports managed disks. Unmanaged disks require a different approach (classic VM encryption is deprecated).
'You can use a Key Vault from a different region' – False. The Key Vault must be in the same region as the VM.
'Encryption is immediate with no performance impact' – False. There is a small performance overhead, especially during initial encryption.
Specific Numbers and Terms
AES 256-bit encryption is used by both BitLocker and dm-crypt.
KEK must be RSA 2048-bit or higher.
Supported volume types: OS, Data, All.
The extension names: AzureDiskEncryptionForWindows and AzureDiskEncryptionForLinux.
The access policy flag: enabledForDiskEncryption.
Edge Cases and Exceptions
Linux OS disk encryption: Not all distributions support it. For example, Ubuntu 14.04 does not support OS disk encryption; only data disks.
Encrypted VM snapshots: You can create a snapshot of an encrypted disk, but when you create a new VM from that snapshot, you must provide the same Key Vault and keys. If the Key Vault is deleted, the snapshot is useless.
Backup of encrypted VMs: Azure Backup requires specific permissions on the Key Vault. If not configured, backup fails silently.
VM resize: You cannot resize a VM that is currently being encrypted. Wait for completion.
How to Eliminate Wrong Answers
When you see a question about disk encryption, first identify if the question is about ADE or SSE. If the scenario mentions 'VM extension', 'BitLocker', or 'dm-crypt', it's ADE. If it mentions 'storage account' or 'platform-managed keys', it's SSE. Then check prerequisites: does the VM have managed identity? Is the Key Vault in the same region? Is the VM standard tier? Eliminate answers that violate these rules. For 'which tool to use', remember that ADE uses Azure CLI az vm encryption enable, not az disk update.
ADE uses BitLocker (Windows) or dm-crypt (Linux) with AES 256-bit encryption.
Key Vault must have the enabledForDiskEncryption access policy set.
The VM must have a system-assigned managed identity with get, unwrapKey, and wrapKey permissions on Key Vault.
ADE only supports managed disks; unmanaged disks are not supported.
The Key Vault must be in the same region and subscription as the VM.
KEK is optional but recommended for key rotation and added security.
Use az vm encryption enable to enable ADE; use az vm encryption show to verify.
Basic tier VMs and certain Linux distributions (e.g., Ubuntu 14.04) do not support OS disk encryption.
These come up on the exam all the time. Here's how to tell them apart.
Azure Disk Encryption (ADE)
Encrypts data inside the VM using BitLocker/dm-crypt
Requires VM extension and Key Vault
Encrypts OS and data disks at the block level
VM must have managed identity and standard SKU
Provides protection against unauthorized access to VHD files
Storage Service Encryption (SSE)
Encrypts data at the Azure storage platform
Transparent to the VM; no extension needed
Encrypts managed disks and snapshots automatically
Uses platform-managed or customer-managed keys (CMK)
Protects data in the storage backend
Mistake
Azure Disk Encryption encrypts data at the storage platform level.
Correct
ADE encrypts data inside the VM using BitLocker or dm-crypt. Storage Service Encryption (SSE) encrypts data at the Azure storage platform level. ADE provides additional encryption within the VM.
Mistake
You must use a Key Encryption Key (KEK) for Azure Disk Encryption.
Correct
KEK is optional. You can encrypt disks using only a Disk Encryption Key (DEK) stored in Key Vault. A KEK adds an extra layer of security and enables key rotation scenarios.
Mistake
Azure Disk Encryption works with unmanaged disks (storage accounts).
Correct
ADE only supports managed disks. For unmanaged disks, you must use the older Azure Disk Encryption for classic VMs, which is deprecated.
Mistake
You can use a Key Vault from any region for a VM.
Correct
The Key Vault must be in the same region and same subscription as the VM. Cross-region Key Vault is not supported for ADE.
Mistake
Encryption can be enabled on any VM size, including Basic tier.
Correct
Basic tier VMs do not support ADE. You must use a Standard tier VM. Also, the VM must have a managed identity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Disk Encryption (ADE) encrypts data within the VM using BitLocker or dm-crypt, protecting the VHD files at rest. Storage Service Encryption (SSE) encrypts data at the Azure storage platform level, transparent to the VM. ADE requires a VM extension and Key Vault, while SSE is enabled by default on managed disks. Both can be used together for defense in depth.
Yes, ADE supports encrypting disks while the VM is running. For data disks, encryption happens online. For OS disks, a reboot may be required to complete the encryption. The VM remains available during the process, but performance may be impacted.
No, a KEK is optional. You can encrypt disks using only a Disk Encryption Key (DEK) stored in Key Vault. However, using a KEK adds an extra layer of security and simplifies key rotation. If you need to change the encryption key, you can rotate the KEK without re-encrypting the disks.
If the Key Vault is deleted, the VM will become inaccessible because it cannot decrypt the disks. You must restore the Key Vault from soft-delete (if enabled) or recover the keys from a backup. Without the keys, the data is permanently lost.
Yes, but you must grant the Azure Backup service permissions to access the Key Vault. Specifically, Backup needs Get and UnwrapKey permissions on the KEK (if used) and Get on the DEK. Configure this via Key Vault access policies.
Yes, ADE supports Linux VMs using dm-crypt and LUKS. Supported distributions include Ubuntu, CentOS, RHEL, and SUSE. However, not all distributions support OS disk encryption; check the documentation for your specific version.
Use the Azure CLI command `az vm encryption show --resource-group <RG> --name <VM>`. The output shows the status for each volume (e.g., 'Succeeded'). You can also check inside the VM using `manage-bde -status` (Windows) or `lsblk` (Linux).
You've just covered Azure Disk Encryption: BitLocker and dm-crypt — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?