hands-on lab

Azure Key Vault and Disk Encryption

Difficulty: Intermediate
Duration: Up to 2 hours
Students: 9,421
Rating: 4.4/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.

Description

In this lab, you will use the Azure Key Vault service to store keys and secrets used to encrypt an Azure Virtual Machine (VM). Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). This streamlines the key management process and enables you to maintain control of keys that access and encrypt your data.

Lab Objectives

Upon completion of this lab you will be able to:

  • Use the Azure Key Vault service to store secrets and keys used for encrypting an Azure Virtual Machine
  • Use PowerShell to create the Azure Key Vault, Azure virtual machine, and deploy the Azure VM Disk Encryption Extension
  • View the Bitlocker encryption process on the encrypted VM
  • View the Azure Key Vault secrets/keys in the Azure Portal

Lab Prerequisites

You should be familiar with:

  • Basic Azure Virtual Machine and Azure Portal concepts
  • Microsoft Windows operating system basics
  • PowerShell and .NET familiarity are beneficial, but not required

Lab Environment

The lab Environment has two main pieces:

  1. The pre-provisioned Azure virtual machine you will log into to perform PowerShell commands.
  2. The PowerShell script you will use to build the Azure Key Vault and encrypted virtual machine.

You will spend most of your time in the Azure PowerShell ISE and the Azure Portal. Below is a high-level diagram of the steps you will take in this lab:

Updates

March 25th, 2024 - Updated lab to align with the new Azure Disk Encryption release

March 30th, 2023 - Resolved permissions issue

January 22nd, 2023 - Updated lab step with new screenshots & instructions

November 23rd, 2022 - Updated the instructions and screenshots to reflect the latest UI

April 27, 2022 - Updated instructions for accuracy

March 22nd, 2022 - Updated the instructions and screenshots to reflect the latest UI

February 8th, 2022 - Updated the lab to use the previous version of the Az.Resources PowerShell module to avoid a bug introduced in the latest version

December 20th, 2021 - Removed a dangling variable reference from the lab script

December 13th, 2021 - Updated Azure AD PowerShell cmdlets to work with Microsoft Graph

October 20th, 2021 - Resolved an issue caused by a breaking change in Azure Active Directory

July 20th, 2020 - Modified the lab bootstrap script to ensure all dependent PowerShell modules are installed before the New-EncryptedVM.ps1 script is available to avoid potential unrecognized cmdlet errors

February 19th, 2020 - Update the lab to use PowerShell's Az module and added validation checks to check the work performed in the lab

February 5th, 2020 - Updated lab script to resolve an issue causing invalid storage account names

December 11th, 2019 - Updated lab VM to latest Windows 2019 image and improved issues causing slow startup PowerShell performance

April 11th 2018 - Updated Key Vault Portal screenshots, resolved issue causing the PowerShell script to timeout when creating the VM, and prepared for May 2018 API changes

Covered topics

Lab steps

Logging in to the Microsoft Azure Portal
Connecting to the Azure Virtual Machine (RDP)
Viewing the PowerShell Script for Azure Key Vault
Connecting to Azure via PowerShell
Loading Azure VM Encryption Variables
Using PowerShell to build the Azure VM
Creating the Azure Key Vault
Deploying the Azure VM Disk Encryption Extension
Verifying BitLocker Drive Encryption