Encrypt an Azure VM with PowerShell

You can encrypt a virtual machine (VM) in Azure with PowerShell in five easy steps.

To provide virtual machines (VMs) with encryption capability, we need to ensure we first have the  required key components. We will be going through Azure VM encryption in our scenario, but I'd like to give you a short overview about Azure Storage Service Encryption (SSE). This may be useful to see an alternative encryption method that Azure provides.

Azure SSE automatically encrypts all managed disks in the background. In other words, there is no user-level interaction to encrypt disks explicitly in storage accounts. Once enabled, Azure SSE encrypts all new data written on the disks going forward, but existing data before encryption remains unencrypted.

Prerequisites ^

Let's take a look at the components required to be able to implement Azure VM encryption.

Azure Active Directory (AD) application: We'll need an Azure AD application to communicate with Azure Key Vault. This will obtain key details and start encryption on a VM.

Azure Key Vault: Azure VM encryption relies on BitLocker Drive Encryption technology in the background. To encrypt a VM with BitLocker, we need to ensure we have a key management system to orchestrate the entire encryption and manage keys afterwards.

Existing Azure VM: In our scenario, we will be implementing disk encryption as a VM extension. Thus, we need to have an existing VM to enable encryption on. In different scenarios, you may also want to enable encryption in your Azure Resource Manager (Azure RM) templates and encrypt your VMs during VM provisioning.

Log in to Azure ^

First, we log in to Azure RM (please make sure you have the latest Azure RM PowerShell modules installed).

Providing required information ^

These are the only required values we need to provide. Note that ResourceGroupName here represents an existing resource group in which the VM is running.

Creating a new Azure AD app ^

Now we can create our Azure AD application. We will be using this app for accessing the key vault to obtain keys for enabling encryption on our VM.

Since we are not going to use this application for any other purposes but encrypting VMs, it is fine just providing generic values for the HomePage and IdentifierUris parameters.

Creation of a new Azure AD application

Creation of a new Azure AD application

The AzureADClientSecret value will not display in the Azure Portal. In case you want to use this application for any other purposes, this key would be necessary to proceed. It is important to save this key for future purposes.

Azure application Client Secret value does not display in the Azure Portal

Azure application Client Secret value does not display in the Azure Portal

Creating a new Azure Key Vault ^

Now it is time to create a new key vault for creating and storing encryption keys. We will be able to use these keys to encrypt VMs afterwards.

Newly created key vault appears in Azure Portal

Newly created key vault appears in Azure Portal

After creating the key vault, we must configure the key vault access policy. This will allow the Azure AD application to obtain key vault details (keys, policies, and such) to be able to encrypt VMs.

Key vault access policies assign required permissions on key vaults to users or applications

Key vault access policies assign required permissions on key vaults to users or applications

Encrypting a VM ^

The final step is to enable encryption on a VM by setting a new Azure VM extension. Since we have all required values in terms of the Azure app and key vault details, we are now ready to start encryption.

Once encryption starts, it takes couple of hours to complete. During this period, encryption will continue in the background, and we will be able to log on to the VM and use it without any restrictions.

We can check whether the process has triggered the Azure VM encryption extension to start encryption on the VM.

Provisioning of the AzureDiskEncryption extension

Provisioning of the AzureDiskEncryption extension

To check the encryption status, you have to log into the VM.

BitLocker Drive Encryption has started on a VM

BitLocker Drive Encryption has started on a VM

It is possible to continue working on the VM without having to wait for the encryption to complete.

The encryption process may take several hours to complete

The encryption process may take several hours to complete

BitLocker Drive Encryption will be in place once the encryption is complete.

VM disks display as encrypted by BitLocker Drive Encryption

VM disks display as encrypted by BitLocker Drive Encryption

Conclusion ^

Azure Security Center constantly checks VMs and shows those that are not encrypted. Getting the VM disks encrypted is a critical task to perform in terms of VM security.

Below is the entire code you need to encrypt the VMs:

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

2+
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account