共用方式為


Step-by-Step: Encrypting Data Volumes in the Azure Cloud with Windows Server 2012 R2, PowerShell and BitLocker

UPDATE: A first-class management experience is now available on Azure for enabling volume encryption for Windows and Linux VMs via Azure PowerShell, the Azure Cross-Platform CLI, ARM templates, and REST API.  Please reference the article linked below for more information, technical whitepapers, and detailed step-by-step instructions regarding this new feature.

The steps below are provided for reference purposes, but are no longer valid when using the new Azure Disk Encryption feature.


The Microsoft Azure cloud platform has supported at-rest encryption of Windows Server VM data volumes via BitLocker for some time now, but I’ve found that there’s often a desire to completely automate the BitLocker configuration as part of virtual machine provisioning and startup tasks.

image

In this article, I’ll walk through the PowerShell steps to automate the provisioning of BitLocker and unlocking BitLocker-protected data disks as part of a virtual machine’s startup tasks.

Installing the BitLocker Feature

After creating a new Azure VM from the Windows Server 2012 R2 platform image, you’ll first need to install the BitLocker feature and associated management tools.

# Install the BitLocker Feature

Add-WindowsFeature BitLocker `
-IncludeManagementTools

Add a Data Disk

Before continuing on with the steps below, you’ll need to make sure that you also attach at least one data disk to your Azure VM. BitLocker is supported for Azure VM data disks, but it is not natively supported for operating system disks as of this article’s publication date ( Note that third-party solutions can be leveraged to encrypt OS disks if needed ).

You can easily add an empty data disk to your Azure VM by following these steps:

How to: Attach a Data Disk to a Windows Virtual Machine

Enabling BitLocker on Data Volumes

Next, we’ll enable BitLocker on a data volume using the BitLocker PowerShell cmdlets that were installed above as part of the management tools collection.  We’ll enable BitLocker with both a Password protector and a Recovery Password protector, so that we have a couple options for manually unlocking the BitLocker-protected disk, if needed.

# Enable BitLocker with a Password protector, so that the volume can be manually unlocked if needed
 
$password = Read-Host `
-AsSecureString `
-Prompt "Enter Password"

Enable-BitLocker F: `
-PasswordProtector `
–Password $password `
-UsedSpaceOnly

# Also add a Recovery Password Protector so that the volume can be unlocked if needed for maintenance
Enable-BitLocker F: `
-RecoveryPasswordProtector `
-UsedSpaceOnly

Add an AD Account Protector

To permit the automatic unlocking of data volumes upon startup, we’ll identify an Active Directory user account that will be used as an additional BitLocker protector.  We’ll use these credentials as part of a VM startup script later in this article to unlock data volumes upon VM startup.

# Add an AD user account as an additional BitLocker protector
Add-BitLockerKeyProtector F: `
-ADAccountOrGroupProtector `
-ADAccountOrGroup "CONTOSO\BitLockerAdmin"

Check status of the BitLocker-protected volume

Now that everything is configured, let’s check the status of our BitLocker protected data volume to make sure that it is Fully Encrypted.

# Check status of BitLocker-protected data volume

Get-BitLockerVolume F:

Unlocking BitLocker-protected Volumes on VM Startup

To automatically unlock BitLocker-protected volumes at VM startup, create a new script that includes the Unlock-BitLocker cmdlet.

Unlock-BitLocker F: `
-AdAccountOrGroup

Then, register this script to run as a startup task under the credentials used as your AD account protector above.

Register-ScheduledJob `
-Name UnlockAtStartup `
-FilePath C:\unlock.ps1 `
-Credential (Get-Credential CONTOSO\BitLockerAdmin) `
-MaxResultCount 30 `
-ScheduledJobOption `
(New-ScheduledJobOption –DoNotAllowDemandStart) `
-Trigger `
(New-JobTrigger –AtStartup)
 

Note: if your VM will be running other services that will be storing data on the BitLocker-protected data volume, those services will need to start after this startup task unlocks the volume.  You can start these services in this manner either by configuring them for an “Automatic (Delayed Start) ” startup mode, or by configuring them for a “Manual” startup mode and then including the appropriate Start-Service cmdlets at the end of the startup script created above.

Additional Resources

Learn more about BitLocker and data security with the resources listed below.