AzureDiskEncryption via Bicep

This blog post is about using the AzureDiskEncryption VM Extension for Azure via Bicep. I struggled with this for a while. Furthermore, I couldn’t find much information about this topic. So, I decided to write a blog post about it.

The VM Extension is the same as, for example, the domain join VM Extension. I struggled with the parameters.

Why do you want to use bicep instead of Powershell for example? With bicep, it’s easier to deploy this in parallel if you deploy multiple VMs.


These are the prerequisites for using the AzureDisEncryption extension:

– The bicep tools are installed and configured on your machine. Link
– Existing VM in your Azure subscription (for testing purposes, you can add it to a complete VM template later.) You can review the deployment of a Windows VM via Bicep in another post of mine.
– Azure Keyvault deployed and available for Azure template deployment. You can find the details here.

The VM Extension

This is the code for the VM Extension in Bicep.

Save this code as a .bicep file:

param vmName string = ''
param keyVaultName string = ''
param keyVaultResourceGroup string = ''
param keyEncryptionKeyURL string = ''
param location string = ''

var extensionName = 'AzureDiskEncryption'
var keyVaultResourceID = resourceId(keyVaultResourceGroup, 'Microsoft.KeyVault/vaults/', keyVaultName)

resource DiskEncryption 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = {
  name: '${vmName}/${extensionName}'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Security'
    type: 'AzureDiskEncryption'
    typeHandlerVersion: '2.2'
    autoUpgradeMinorVersion: true
    forceUpdateTag: '1.0'
    settings: {
      EncryptionOperation: 'EnableEncryption'
      KeyVaultURL: reference(keyVaultResourceID, '2019-09-01').vaultUri
      KeyVaultResourceId: keyVaultResourceID
      KeyEncryptionKeyURL: keyEncryptionKeyURL
      KekVaultResourceId: keyVaultResourceID
      KeyEncryptionAlgorithm: 'RSA-OAEP'
      VolumeType: 'All'
      ResizeOSDisk: false

Example Deployment

I will now show the example to deploy AzureDiskEncryption via Bicep.

Firstly, we need to log on to Azure via the command line. I use Azure CLI to do so. You can download en configure it via this link.

After that, you can log on to Azure using:

az login

Next, if you have multiple subscriptions, please select the appropriate subscription by using this command:

az account set --subscription <subscriptionid>

Now we can deploy the VM Extension on an existing VM and with an existing Key vault.

Use the following code to do so:

$vmName = "NielskokTech-TestVM"
$VMResourcegroup = "RG_WE_TestVM"
$keyVaultName = "NielsKokTech-Keyvault" 
$keyVaultResourceGroup = "RG_WE_KeyVaults" 
$keyEncryptionKeyURL = ""
$location = "WestEurope"
$TemplateFile = "C:\Temp\DiskEncryptionExtension.bicep"

az deployment group create --resource-group $VMResourcegroup --template-file $TemplateFile --parameters vmName=$vmName keyVaultName=$keyVaultName keyVaultResourceGroup=$keyVaultResourceGroup keyEncryptionKeyURL=$keyEncryptionKeyURL location=$location

During the deployment, you can check the progress at this location:

AzureDiskEncryption via Bicep - Deployment
After that, you can see the AzureDiskEncryption enabled:

3 thoughts on “AzureDiskEncryption via Bicep”

  1. Hi Niels

    Love your blog and your work
    I have a question a have a devops pipeline that build AVD VMs using terraform
    Any idea how could i update my pipeline to it would enable ADE for all VMs that i have a future one that i will build ?

    • Hi David,

      You should add a extension to your Terraform template that also enables disk encryption. That should be possible.



Leave a Comment