Enable Disk Encryption using BitLocker and Key Vault

This “Enable Disk Encryption using BitLocker and Key Vault” IT Pro Challenge virtual lab will teach you how to encrypt Azure Virtual Machines using the Key Vault. You will use the Cloud Shell to programmatically create and enable a key vault and edit its policies. After this lab, you will be comfortable encrypting disks on the Azure platform.

1 hour
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »


Azure is a public cloud computing platform. Azure can be used for many purposes, such as analytics, virtual computing, and networking. In particular, Azure provides a powerful tool for creating virtual networks and virtual machines. Azure gives you many tools to control the security and encryption of your virtual machines (VMs). Given its powerful toolset and rising popularity, it is prudent for modern IT workers to be comfortable working with Azure.

Several options exist for ensuring the safety of your Azure VMs. One popular security option is disk encryption, which can be realized through key vaults. Key vaults allow you to enable disk encryption for Windows VMs. The Azure Key Vault gives you tools for securing, accessing, and storing “secrets,” with “secrets” being data you want tightly controlled like passwords and certificates.

A good network administrator should know how to enable and configure key vaults using the Azure Cloud Shell. The Azure Cloud Shell is an extension of the standard Windows Cloud Shell and gives programmers a wide range of functionalities. In Azure, programmers can use Cloud Shell to automate repetitive tasks, such as creating and configuring Azure Key Vaults. This hands-on lab will teach you how to easily create and configure the Azure Key Vault using the Azure Cloud Shell.

Understand the scenario: You are a system administrator for a company that is migrating their servers to Azure. You need to ensure that the disks used by the virtual machines are encrypted using BitLocker and Azure Key Vault. Since you plan on automating this process in the future, you will use Azure Cloud Shell to enable disk encryption on one virtual machine.

Understand the environment: You are using an Azure resource group that contains a preconfigured virtual machine.

Create an Azure key vault:

The first step in this challenge is to create an Azure key vault. You will login to Azure using given credentials and use the Azure portal to create a key vault in the given resource group.

Configure Azure Cloud Shell:

Next, you will use the Azure Cloud Shell to create a file share in an existing storage account and attach the file share.

Create an Azure Active Directory application and service principal:

Again using Cloud Shell, you will create an Active Directory application. You will:

  • Use Cloud Shell to create an application variable name.
  • Use Cloud Shell to create a password variable.
  • Create the Active Directory application.
  • Create the Active Directory service principal.

Add an Azure key vault key and configure the key vault access policy:

After you have created a key vault and Active Directory application, you will add a key vault key. You will:

  • Create a key vault key in the key vault.
  • Set the key vault access policy.
  • Enable the key vault for disk encryption using the advanced access policy settings.

Enable Azure disk encryption on the virtual machine:

The last step on this virtual lab will require you to enable disk encryption on a VM. You will:

  • Create the variables for the Cloud Shell commands that enable disk encryption.
  • Use the Set-AzureRMDiskEncryptionExtension command to enable disk encryption.


One tool for ensuring the safety of VMs is disk encryption using the Azure Key Vault. This virtual lab will give you real-world experience working with the Azure Key Vault.

In the “Enable Disk Encryption using BitLocker and Key Vault” virtual lab, you will accomplish the following:

  • Create an Azure key vault.
  • Configure the Azure Cloud Shell.
  • Create an Azure Active Directory application and service principal.
  • Add an Azure key vault key.
  • Configure the key vault access options.
  • Enable disk encryption on a virtual machine.

Other Challenges in this series:

  • GUIDED CHALLENGE: Configure Blob Storage with Private Access
  • ADVANCED CHALLENGE: Can You Enable and Configure Just in Time Virtual Machine Access in Security Center?