Microsoft provides the ability to encrypt VMs VHD files. This can be achieved by the Azure Key Vault service. But, before we start, let’s find an explanation about Azure Key Vault and what it does.
Azure Key Vault is a vault that contains keys, secrets and it is hosted in the Azure Cloud.
Important Terms & Definitions
Term | Definition |
KEK – Key Encryption Key | A cryptographic key that is used to encrypt other keys for transmission or storage but not application data. Source |
Software Keys | Softwares keys are used basically in compute VMs and are most used from dev/test users. |
HSM keys – Hardware Security Modules | HSM keys are used for production environments and are available in Premium. |
Service Principal | It’s a service account with specific privileges which allow running several tasks on Azure. |
Application ID | Application ID in all case is the Client ID in Azure Active Directory. |
Prerequisites
Bellow are the Azure Disk Encryption Prerequisites :
- AAD Enterprise Application
- Key Vault
- Virtual Machine: The solution is supported for specific Azure Standard VM tiers, A, D, DS, G, GS, F, and so forth series IaaS VMs
- Install Module AzureRM using the next script
Install-Module -Name AzureRM -Repository PSGallery -Force
Click here for more details.
Encrypt virtual machine disk from the Azure Portal
Create AAD Enterprise Application
From the Azure Portal, Azure Active Directory – App registrations – New application registration.
Next, on the Create blade, type Name of the application, select Application type, set any Sign-on URL (it’s typical, it won’t be used) and click Create.
AAD Application is deployed and the next step is to create a Key. From Settings – Keys blade.
Type a DESCRIPTION, set the EXPIRES field value and click Save.
Important Notice: Copy the value because this value will not be available after the blade closes.
Create Key Vault
After the AAD Application is deployed, the next big thing is to create the Azure key vault.
First, search for {key vault} service and afterwards click the button Create key vault.
Type key vault Name, select Subscription, create Resource Group, and select a Location a Pricing tier (Standard for this scenario).
Create Key Vault Key
Next, create the Key Vault Key from the main Key vault blade, select Settings – Keys – +Generate/Import, type the Name and click Create.
Create New principal in Access Policies blade.
This is an important step because we add permission to the key vault for the newly registered diskencryption application. Firstly, expand key permissions and select Wrap Key value, next expand Secret permissions and select Set value. Since we chose the necessary permissions we need to add the AAD application to the key vault Access policies.
Key Vault Advanced Access Policies
From the main Key Vault blade select Access policies, click to {show advanced access policies} link – check the option [Enable access to Azure Disk Encryption for volume encryption] and click Save.
Powershell Commands For Encryption
Right now the AzureRMVMDiskEncryption extension is not available from the Azure Portal so it is necessary to execute the following powershell script.
Important Notice: Prior to execution of any script, be sure that the disks are backed up!!!
The first stage was about AAD App registration, Azure Key Vault creation, and configuration. Now, we are ready to move forward to the next steps which are the Powershell command for disk encryption with BitLocker.
Before executing the Powershell script must be sure that know all the necessary variables which are :
$ResourceGroupName = 'Resource Group Name' $vmName = 'Virtual Machine Name' $AADApplicationID = 'Application ID' $AADApplicationSecret = 'Application Secret' $KeyVaultName = 'Key Vault Name' $keyVaultKeyName = 'Key Vault Key Name' $KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName $DiskEncryptionKeyVaultURI = $KeyVault.VaultUri $DiskKeyVaultResourceId = $KeyVault.ResourceId $DiskkeyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $KeyVaultKeyName).Key.kid; Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName -VMName $vmName ` -AadClientID $AADApplicationID ` -AadClientSecret $AADApplicationSecret ` -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultURI ` -DiskEncryptionKeyVaultId $DiskKeyVaultResourceId ` -KeyEncryptionKeyUrl $DiskkeyEncryptionKeyUrl ` -KeyEncryptionKeyVaultId $DiskKeyVaultResourceId ` -VolumeType All
Encrypt virtual machine disk using Powershell Script
Also, there are many powershell scripts for Azure Disk Encryption, one of these scripts can be downloaded from github. The prerequisites for this script are:
- Powershell Version 6.2.0 or higher
- Azure.RM module
- Parameters to execute the script
#Name of the resource group to which the KeyVault belongs to. $resourceGroupName #Name of the KeyVault in which encryption keys are to be placed. $keyVaultName #Location of the KeyVault $location #Name of the AAD application that will be used to write secrets to KeyVault. $aadAppName #To encrypt one VM uncomment the line 214 and type the VM name #$vmName = "Your VM Name";
The script creates automatically all the resources and encrypts the drive/s of the VM.
See Also :
Azure Disk Encryption for Windows and Linux IaaS VMs
Few words about Azure Key Vault