Azure Disk Encryption is a new capability that helps you encrypt your windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker features of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the Data disks.
We can have encrypted enhanced virtual machine (VM) security and compliance, virtual disks in Azure. Disks are encrypted using cryptographic keys that are secured in an Azure Key Vault. Cryptographic keys are stored in Azure key vault using software protection, or you can import or generate your keys in Hardware Security Modules (HSMs) certified to FIPS 140-2 level 2 standards. Cryptographic keys are used to encrypt and decrypt virtual disks attached to your VM. An Azure Active Directory service principle provides a secure mechanism for issuing these cryptographic keys as VMs are powered on or off.
Prerequisites:
Steps to Encrypt Azure Virtual Machine (Azure vm):
Before doing this exercise, you should have an Azure PowerShell in your desktop. If not please go to the following link to download the PowerShell
“https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids”
Once the PowerShell is ready to go to the following link to download ADEPrereqScript.ps1
Copy all the content and save it to your notepad called the filename of “ADEPrereqScript.ps1”
Run the Script for Azure Disk Encryption:
Name of the Resource Group that you want to put the Key Vault into. A new resource group with the name you enter will be created if there isn’t already one with that name created. If you already have a resource group that you want to use in this subscription, then enter the name of the Resource Group.
Name of the Key Vault in which encryption keys are to be placed. A new key Vault with this name will be created if you don’t already have a Key Vault with this name. If you already have a key vault that you want to use, enter the name of Key Vault
Location of the Key Vault. Make sure the Key Vault and VMs to be encryption are in the same location.
Name of the Azure Active Directory application that will be used to write secrets to the Key vault. New application with this name will be created if one doesn’t exist. If you already have an Azure Active Directory application that you want to use, enter the name of that Azure Active Directory application.
- Resource Group Name
-
Name of the Resource Group that you want to put the Key Vault into. A new resource group with the name you enter will be created if there isn’t already one with that name created. If you already have a resource group that you want to use in this subscription, then enter the name of the Resource Group.
- Key Vault Name
-
Name of the Key Vault in which encryption keys are to be placed. A new key Vault with this name will be created if you don’t already have a Key Vault with this name. If you already have a key vault that you want to use, enter the name of Key Vault
- Location
-
Location of the Key Vault. Make sure the Key Vault and VMs to be encryption are in the same location.
- Azure Active Directory Application Name
-
Name of the Azure Active Directory application that will be used to write secrets to the Key vault. New application with this name will be created if one doesn’t exist. If you already have an Azure Active Directory application that you want to use, enter the name of that Azure Active Directory application.
I am going to create a new application and RG in Azure using this PowerShell Script.
1. Start -> Windows PowerShell ISE
2. Right click Windows PowerShell ISE and click Run as administrator
3. Click View and then click Show Script Pane
4. Open the PowerShell script in this Script Pane
5. Change the directory in PowerShell where you kept the saved script in your local directory.
6. Set the execution policy on your machine to execute the following command Set-ExecutionPolicy Unrestricted
7. Click Yes to All to continue the policy set in your machine.
8. Log into your Azure account in PowerShell
9. You will be prompting to enter the username and password of Azure authentication with PowerShell
10. Once logged in with Azure then run the script which is you download
11. I am going to create a new ResourceGroupName, KeyVaultName, Location and Azure Active Directory Application
12. Once all the script is executed kindly note down the details to enable the encryption on your VMs
Encrypt the Azure Virtual Machine (azure vm):
Now you are ready to encrypt your virtual machine if your virtual machine is in the same Resource Group as your Key Vault. You can move on to the encryption steps, However, if your virtual machine is not in the same Resource Group as your key Vault, you will need to enter the following in the PowerShell console.
- $resourceGroupName = <’Virtual_Machine_RG’>
- $vmName = <‘Virtual Machine Name’>
- $aadClientID = <‘Application Client ID’>
- $aadClientSecret = <‘Application Client Secret’>
- $diskEncryptionKeyVaultUrl = <’Key Vault URL’>
- $keyVaultResourceId = <’Key Vault Resource ID’>
You can collect all the above information from the PowerShell console.
Following command to encrypt your running virtual machine disk in your azure subscription:
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType All
After typing the above command type ENTER.
Once script is completed you’ll see the result of Disk Encryption.
Great! The result is success My virtual machine is now encrypted. You can able to check in Azure portal
Azure Portal -> Virtual Machine -> Disks
On the disk blade you will see that Encryption is Enabled.
