Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Azure Disk Encryption for Virtual Machines and Virtual Machine Scale Sets will be retired on September 15, 2028. New customers should use encryption at host for all new VMs. Existing customers should plan to migrate current ADE-enabled VMs to encryption at host before the retirement date to avoid service disruption -- see Migrate from Azure Disk Encryption to encryption at host.
Applies to: ✔️ Windows VMs ✔️ Flexible scale sets
The Azure CLI is used to create and manage Azure resources from the command line or in scripts. This quickstart shows you how to use the Azure CLI to create and encrypt a Windows Server 2016 virtual machine (VM).
If you don't have an Azure account, create a free account before you begin.
Prerequisites
- Use the Bash environment in Azure Cloud Shell. For more information, see Get started with Azure Cloud Shell. 
- If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container. - If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI. 
- When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI. 
- Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade. 
 
- This article requires version 2.0.30 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group
Create a resource group with the az group create command. An Azure resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named myResourceGroup in the eastus location:
az group create --name myResourceGroup --location eastus
Create a virtual machine
Create a VM with az vm create. The following example creates a VM named myVM. This example uses azureuser for an administrative user name and myPassword12 as the password.
az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image win2016datacenter \
    --admin-username azureuser \
    --admin-password myPassword12
It takes a few minutes to create the VM and supporting resources. The following example output shows the VM create operation was successful.
{
  "fqdns": "",
  "id": "/subscriptions/<guid>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM",
  "location": "eastus",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.4",
  "publicIpAddress": "52.174.34.95",
  "resourceGroup": "myResourceGroup"
}
Create a Key Vault configured for encryption keys
Azure disk encryption stores its encryption key in an Azure Key Vault. Create a Key Vault with az keyvault create. To enable the Key Vault to store encryption keys, use the --enabled-for-disk-encryption parameter.
Important
Each Key Vault must have a unique name. This example creates a Key Vault named myKV, but you must name yours something different.
az keyvault create --name "myKV" --resource-group "myResourceGroup" --location eastus --enabled-for-disk-encryption
Encrypt the virtual machine
Encrypt your VM with az vm encryption, providing your unique Key Vault name to the --disk-encryption-keyvault parameter.
az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV
You can verify that encryption is enabled on your VM with az vm show
az vm encryption show --name MyVM -g MyResourceGroup
You will see the following in the returned output:
"EncryptionOperation": "EnableEncryption"
Clean up resources
When no longer needed, you can use the az group delete command to remove the resource group, VM, and Key Vault.
az group delete --name myResourceGroup
Next steps
In this quickstart, you created a virtual machine, created a Key Vault that was enabled for encryption keys, and encrypted the VM. Advance to the next article to learn more about Azure Disk Encryption prerequisites for IaaS VMs.
