Share via

Announcing Azure Disk Encryption Preview for Virtual Machine Scale Sets

  • 09/28/2017

Today, we are excited to announce the public preview of Azure Disk Encryption (ADE) for Virtual Machine Scale Sets (VMSS). With this announcement, Azure disk encryption can be enabled for Windows and Linux VM Scale Sets in Azure public regions to enable customers to help protect and safeguard the Scale Sets data at rest using industry standard encryption technology.

The solution is deployed in all Azure public regions. Additional details on supported and unsupported scenarios, interfaces and how you can use the disk encryption technology preview to encrypt your VM Scale Sets and validate your scenario is documented below.

  1. Pre-Requisites:
    1. Self-Registration - VMSS disk encryption preview requires self-registration in order to use
    2. You can self register your subscription by running the following steps:
      1. Register-AzureRmProviderFeature -ProviderNamespace Microsoft.Compute -FeatureName "UnifiedDiskEncryption"
      2. Wait around 10 minutes until the state as 'Registered'. You can check the state by running the following command:
        1. Get-AzureRmProviderFeature -ProviderNamespace "Microsoft.Compute" -FeatureName "UnifiedDiskEncryption"
      3. Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Compute
    3. Azure Key Vault - Create a KeyVault in the same subscription and region as the VMSS and set the access policy   'EnabledForDiskEncryption' on the KeyVault using its PS cmdlet. You can also set the policy using the KeyVault UI in the Azure portal:
      1. Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption
  2. Supported scenarios:
    1. VMSS encryption is supported only for scale sets created with managed disks, and not supported for native (or unmanaged) disk scale sets
    2. VMSS encryption is supported for OS and Data volumes for Windows VMSS. Disable encryption is supported for OS and Data volumes for Windows VMSS
    3. VMSS encryption is supported for Data volume for Linux VMSS. OS disk encryption is NOT supported in the current preview for Linux
    4. VMSS VM reimage and upgrade operations are not supported in current preview
      1. The VMSS ADE preview is recommended only as try out in test environment. Do not try out preview or use in production environments where you might need to upgrade your OS image in an encrypted scale set
  3. Supported Interfaces:
    1. Using ARM templates:
      1. Enable ADE on Windows VMSS
        1. Create a Windows VM ScaleSet and enable encryption: 201-encrypt-running-vmss-windows
        2. Enable encryption on a running windows VM ScaleSet: 201-encrypt-vmss-windows-jumpbox
        3. Disable encryption on a running windows VM ScaleSet: 201-decrypt-vmss-windows
      2. Enable ADE on Linux VMSS
        1. Create a Linux VM ScaleSet and enable encryption: 201-encrypt-running-vmss-linux
        2. Enable encryption on a running Linux VM ScaleSet: 201-encrypt-vmss-linux-jumpbox
        3. Disable encryption on a running Linux VM ScaleSet: 201-decrypt-vmss-linux
    2. Using Azure PowerShell cmdlets: Install the latest version of Azure SDK from Azure PowerShell release. The following are the VMSS ADE cmdlets to enable (Set) encryption, retrieve (Get) encryption status and remove (disable) encryption on VMSS instance.
      CommandType Name Cmdlet Version Source
      Alias Get-AzureRmVmssDiskEncryptionStatus 3.4.0 or above AzureRM.Compute
      Alias Get-AzureRmVmssVMDiskEncryptionStatus 3.4.0 or above AzureRM.Compute
      Cmdlet Disable-AzureRmVmssDiskEncryption 3.4.0 or above AzureRM.Compute
      Cmdlet Get-AzureRmVmssDiskEncryption 3.4.0 or above AzureRM.Compute
      Cmdlet Get-AzureRmVmssVMDiskEncryption 3.4.0 or above AzureRM.Compute
      Cmdlet Set-AzureRmVmssDiskEncryptionExtension 3.4.0 or above AzureRM.Compute
    3. Using CLI command: Install latest Azure CLI 2.0 which has the new encryption commands. The CLI commands example are included below:
      1. Create VMSS
        az vmss create -g <resourceGroupName> -n <VMSS name> --instance-count 1 --image Win2016Datacenter --admin-username <username> --admin-password <password>
      2. Enable encryption on VMSS instance
        az vmss encryption enable -g <resourceGroupName> -n <VMSS name> --disk-encryption-keyvault <KeyVaultResourceId>
      3. Update VMSS instances
        az vmss update-instances -g <resourceGroupName> -n <VMSS name> --instance-ids
      4. Show encryption status
        az vmss encryption show -g <resourceGroupName> -n <VMSS name>
      5. Disable encryption (For Windows VMSS only)
        az vmss encryption disable -g <resourceGroupName> -n <VMSS name>
    4. End to end batch file example for Linux scale set data disk encryption - This will creates resource group, VMSS, mounts a 5GB data disk, encrypts the Linux VM scale sets
  4. For additional details on Azure Disk Encryption service, refer to ADE documentation here