Azure Disk Encryption for Windows (Microsoft.Azure.Security.AzureDiskEncryption)

Article
10/21/2024

Overview

Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines running Windows. This solution is integrated with Azure Key Vault to manage disk encryption keys and secrets in your key vault subscription.

Prerequisites

For a full list of prerequisites, see Azure Disk Encryption for Windows VMs, specifically the following sections:

Extension Schema

There are two versions of extension schema for Azure Disk Encryption (ADE):

v2.2 - A newer recommended schema that does not use Microsoft Entra properties.
v1.1 - An older schema that requires Microsoft Entra properties.

To select a target schema, the typeHandlerVersion property must be set equal to version of schema you want to use.

Schema v2.2: No Microsoft Entra ID (recommended)

The v2.2 schema is recommended for all new VMs and does not require Microsoft Entra properties.

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "AzureDiskEncryption",
        "typeHandlerVersion": "2.2",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "EncryptionOperation": "[encryptionOperation]",
          "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
          "KeyVaultURL": "[keyVaultURL]",
          "KeyVaultResourceId": "[keyVaultResourceID]",
          "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
          "KekVaultResourceId": "[kekVaultResourceID]",
          "SequenceVersion": "sequenceVersion]",
          "VolumeType": "[volumeType]"
        }
  }
}

Schema v1.1: with Microsoft Entra ID

The 1.1 schema requires aadClientID and either aadClientSecret or AADClientCertificate and is not recommended for new VMs.

Using aadClientSecret:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientSecret": "[aadClientSecret]"
    },
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "1.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyVaultURL": "[keyVaultURL]",
      "KeyVaultResourceId": "[keyVaultResourceID]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KekVaultResourceId": "[kekVaultResourceID]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

Using AADClientCertificate:

{
  "type": "extensions",
  "name": "[name]",
  "apiVersion": "2019-07-01",
  "location": "[location]",
  "properties": {
    "protectedSettings": {
      "AADClientCertificate": "[aadClientCertificate]"
    },
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "1.1",
    "settings": {
      "AADClientID": "[aadClientID]",
      "EncryptionOperation": "[encryptionOperation]",
      "KeyEncryptionAlgorithm": "[keyEncryptionAlgorithm]",
      "KeyVaultURL": "[keyVaultURL]",
      "KeyVaultResourceId": "[keyVaultResourceID]",
      "KeyEncryptionKeyURL": "[keyEncryptionKeyURL]",
      "KekVaultResourceId": "[kekVaultResourceID]",
      "SequenceVersion": "sequenceVersion]",
      "VolumeType": "[volumeType]"
    }
  }
}

Property values

Note: All values are case sensitive.

Name	Value / Example	Data Type
apiVersion	2019-07-01	date
publisher	Microsoft.Azure.Security	string
type	AzureDiskEncryption	string
typeHandlerVersion	2.2, 1.1	string
(1.1 schema) AADClientID	xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx	guid
(1.1 schema) AADClientSecret	password	string
(1.1 schema) AADClientCertificate	thumbprint	string
EncryptionOperation	EnableEncryption	string
(optional - default RSA-OAEP ) KeyEncryptionAlgorithm	'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5'	string
KeyVaultURL	url	string
KeyVaultResourceId	url	string
(optional) KeyEncryptionKeyURL	url	string
(optional) KekVaultResourceId	url	string
(optional) SequenceVersion	uniqueidentifier	string
VolumeType	OS, Data, All	string

Template deployment

For an example of template deployment based on schema v2.2, see Azure Quickstart Template encrypt-running-windows-vm-without-aad.

For an example of template deployment based on schema v1.1, see Azure Quickstart Template encrypt-running-windows-vm.

Note

Also if VolumeType parameter is set to All, data disks will be encrypted only if they are properly formatted.

Troubleshoot and support

Troubleshoot

For troubleshooting, refer to the Azure Disk Encryption troubleshooting guide.

Support

If you need more help at any point in this article, you can contact the Azure experts on the Azure support.

Alternatively, you can file an Azure support incident. Go to Azure support site and submit your request. For information about using Azure Support, read the 21Vianet Azure support FAQ.

Next steps

For more information about extensions, see Virtual machine extensions and features for Windows.
For more information about Azure Disk Encryption for Windows, see Windows virtual machines.