Apply disk encryption in Azure Security Center

Azure Security Center recommends that you apply disk encryption if you have Windows or Linux VM disks that are not encrypted using Azure Disk Encryption. Disk Encryption lets you encrypt your Windows and Linux IaaS VM disks. Encryption is recommended for both the OS and data volumes on your VM.

Disk Encryption uses the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux. These features provide OS and data encryption to help protect and safeguard your data and meet your organizational security and compliance commitments. Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your Key Vault subscription, while ensuring that all data in the VM disks are encrypted at rest in your Azure Storage.


Azure Disk Encryption is supported on the following Windows server operating systems - Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Disk encryption is supported on the following Linux server operating systems - Ubuntu, CentOS, SUSE, and SUSE Linux Enterprise Server (SLES).

Implement the recommendation

  1. In the Recommendations blade, select Apply disk encryption.
  2. In the Apply disk encryption blade, you see a list of VMs for which Disk Encryption is recommended.
  3. Follow the instructions to apply encryption to these VMs.

To encrypt Azure Virtual Machines that have been identified by Security Center as needing encryption, we recommend the following steps:

  • Install and configure Azure PowerShell. This enables you to run the PowerShell commands required to set up the prerequisites required to encrypt Azure Virtual Machines.
  • Obtain and run the Azure Disk Encryption Prerequisites Azure PowerShell script.
  • Encrypt your virtual machines.

Encrypt a Windows IaaS VM with Azure PowerShell walks you through these steps. This topic assumes you are using a Windows client machine from which you configure disk encryption.

There are many approaches that can be used for Azure Virtual Machines. If you are already well-versed in Azure PowerShell or Azure CLI, then you may prefer to use alternate approaches. To learn about these other approaches, see Azure disk encryption.

See also

This document showed you how to implement the Security Center recommendation "Apply disk encryption." To learn more about disk encryption, see the following:

To learn more about Security Center, see the following: