Using Azure Disk Encryption (ADE) on Host Pools

Introduction

Azure Disk Encryption (ADE) encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using BitLocker. Note that ADE cannot be combined with a disk encryption set.

To roll out session hosts with ADE, you'll need an Azure Key Vault with an encryption key and an Azure Key Vault to store the secrets of the disks (they can be the same vault).

Setting Up a Key Vault

• First, create a Key Vault in the Azure Portal

• Give the service principal (from the tenant configuration) contributor permission to the vault (access and control)

• In Access Policies, give the service principal the following permissions:

  • Key permissions: Get, Encrypt, Wrap Key.

  • Secret permissions: Set.

• Check the following boxes:

  • Azure Virtual Machines for deployment.

  • Azure Disk Encryption for volume encryption.

• Give yourself the following permissions: Key and secret management

• Go to Keys, and click Generate. Type a name and select RSA and 4096

• Click on the generate key and on the current version. Copy the Key identifier (must include the version). E.g., https://avd-disks.vault.azure.net/keys/ADE-Encryption/bf270e977a574813a87bb637d57a6675

Hydra Steps

In Hydra, underneath New Session Host Rollout:

• Navigate to Advanced settings.

• In ADE Key Vault, choose the Key Vault.

• In the ADE Encryption Key URL, paste the Key Identifier URL from above.

If you left the ADE Encryption Key URL empty, Hydra creates a new key for each session host. For this, the service principal needs additional key permissions: Update, create.

Deploy a new session host to verify that the disk is ADE encrypted: