- Create and manage append blobs with PowerShell - Wed, Oct 12 2022
- Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
- Restore Azure Files with PowerShell - Fri, Jan 28 2022
To provide virtual machines (VMs) with encryption capability, we need to ensure we first have the required key components. We will be going through Azure VM encryption in our scenario, but I'd like to give you a short overview about Azure Storage Service Encryption (SSE). This may be useful to see an alternative encryption method that Azure provides.
Azure SSE automatically encrypts all managed disks in the background. In other words, there is no user-level interaction to encrypt disks explicitly in storage accounts. Once enabled, Azure SSE encrypts all new data written on the disks going forward, but existing data before encryption remains unencrypted.
Prerequisites
Let's take a look at the components required to be able to implement Azure VM encryption.
Azure Active Directory (AD) application: We'll need an Azure AD application to communicate with Azure Key Vault. This will obtain key details and start encryption on a VM.
Azure Key Vault: Azure VM encryption relies on BitLocker Drive Encryption technology in the background. To encrypt a VM with BitLocker, we need to ensure we have a key management system to orchestrate the entire encryption and manage keys afterwards.
Existing Azure VM: In our scenario, we will be implementing disk encryption as a VM extension. Thus, we need to have an existing VM to enable encryption on. In different scenarios, you may also want to enable encryption in your Azure Resource Manager (Azure RM) templates and encrypt your VMs during VM provisioning.
Log in to Azure
First, we log in to Azure RM (please make sure you have the latest Azure RM PowerShell modules installed).
Login-AzureRmAccount
Providing required information
These are the only required values we need to provide. Note that ResourceGroupName here represents an existing resource group in which the VM is running.
$VMName = "EncryptionTest" # Existing VM Name for which we want to enable encryption $ResourceGroupName = "EncryptionTest" # Resource Group in which VM is running $KeyVaultName="TestKeyVault-Onur" # New Key Vault name. Can be any name. $location="West Europe" # Azure Location where VM is running
Creating a new Azure AD app
$AzureADClientSecret = "34uv0934q8uc09qr934q8yrx982yn08qr3=" # This can be any value $AzureADApplicationID = New-AzureRmADApplication -DisplayName "EncryptionApp" -HomePage "https://localhost/EncryptionTest" -IdentifierUris "https://localhost/EncryptionTest" -Password $AzureADClientSecret $AzureADApplicationID=$AzureADApplication.ApplicationId $servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $AzureADApplication.ApplicationId
Now we can create our Azure AD application. We will be using this app for accessing the key vault to obtain keys for enabling encryption on our VM.
Since we are not going to use this application for any other purposes but encrypting VMs, it is fine just providing generic values for the HomePage and IdentifierUris parameters.
Creation of a new Azure AD application
The AzureADClientSecret value will not display in the Azure Portal. In case you want to use this application for any other purposes, this key would be necessary to proceed. It is important to save this key for future purposes.
Azure application Client Secret value does not display in the Azure Portal
Creating a new Azure Key Vault
Now it is time to create a new key vault for creating and storing encryption keys. We will be able to use these keys to encrypt VMs afterwards.
$AzureKeyVault = New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Sku Standard -Location $location
Newly created key vault appears in Azure Portal
After creating the key vault, we must configure the key vault access policy. This will allow the Azure AD application to obtain key vault details (keys, policies, and such) to be able to encrypt VMs.
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $AzureADApplicationID -PermissionsToKeys wrapKey -PermissionsToSecrets Set Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption
Key vault access policies assign required permissions on key vaults to users or applications
Encrypting a VM
The final step is to enable encryption on a VM by setting a new Azure VM extension. Since we have all required values in terms of the Azure app and key vault details, we are now ready to start encryption.
$DiskEncryptionKeyVaultUrl = $AzureKeyVault.VaultUri $KeyVaultResourceId = $AzureKeyVault.ResourceId $AADClientID = $AzureADApplicationID Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AzureADClientSecret ‑DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
Once encryption starts, it takes couple of hours to complete. During this period, encryption will continue in the background, and we will be able to log on to the VM and use it without any restrictions.
We can check whether the process has triggered the Azure VM encryption extension to start encryption on the VM.
Provisioning of the AzureDiskEncryption extension
To check the encryption status, you have to log into the VM.
BitLocker Drive Encryption has started on a VM
It is possible to continue working on the VM without having to wait for the encryption to complete.
The encryption process may take several hours to complete
BitLocker Drive Encryption will be in place once the encryption is complete.
VM disks display as encrypted by BitLocker Drive Encryption
Conclusion
Azure Security Center constantly checks VMs and shows those that are not encrypted. Getting the VM disks encrypted is a critical task to perform in terms of VM security.
Below is the entire code you need to encrypt the VMs:
Subscribe to 4sysops newsletter!
# Step 1 - Login to Azure
Login-AzureRmAccount
# Step 2 - Provide required information
$VMName = "EncryptionTest" # Existing VM Name for which we want to enable encryption
$ResourceGroupName = "EncryptionTest" # Resource Group in which VM is running
$KeyVaultName="TestKeyVault-Onur" # New Key Vault name. Can be any name.
$location="West Europe" # Azure Location where VM is running
# Step 3 - Creating a new Azure AD App
$AzureADClientSecret = "34uv0934q8uc09qr934q8yrx982yn08qr3=" # This can be any value
$AzureADApplicationID = New-AzureRmADApplication -DisplayName "EncryptionApp" -HomePage "https://localhost/EncryptionTest" -IdentifierUris "https://localhost/EncryptionTest" -Password $AzureADClientSecret
$AzureADApplicationID=$AzureADApplication.ApplicationId
$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $AzureADApplication.ApplicationId
# Step 4 - Creating a new Azure Key Vault
$AzureKeyVault = New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Sku Standard -Location $location
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $AzureADApplicationID -PermissionsToKeys wrapKey -PermissionsToSecrets Set
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption
# Step 5 - Encrypting a VM
$DiskEncryptionKeyVaultUrl = $AzureKeyVault.VaultUri
$KeyVaultResourceId = $AzureKeyVault.ResourceId
$AADClientID = $AzureADApplicationID # Same as ObjectID
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AzureADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
