Enabling Azure Disk Encryption for Windows IaaS VMs using PowerShell


In this post, I will enable disk Encryption for a Windows IaaS VM using PowerShell for an existing VM. This is an example with step by step instructions to give you a high level overview. For detailed information on Azure Disk Encryption including prerequisites, supportability and  different options to enable encryption , please refer to the links below:

https://blogs.msdn.microsoft.com/azuresecurity/2016/01/22/azure-disk-encryption-white-paper-updated/

https://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/

https://azure.microsoft.com/en-us/documentation/videos/azure-key-vault-with-amit-bapat/

https://channel9.msdn.com/events/Microsoft-Azure/AzureCon-2015/ACON214

 

 Enabling Disk Encryption for Windows IaaS VMs using PowerShell

 Connect to your Subscription

PS C:\WINDOWS\system32> Login-AzureRmAccount

Create a New Resource Group or use an existing

PS C:\WINDOWS\system32> New-AzureRmResourceGroup -Name “skpkeyvaultgroup” -location “East US”

ResourceGroupName : skpkeyvaultgroup
Location          : eastus
ProvisioningState : Succeeded
Tags              :
ResourceId        : /subscriptions/3a0d1a4f-1d45-4dbc-bb68-xxxxxxxxxxxxx/resourceGroups/skpkeyvaultgroup

Create a New Key Vault

PS C:\WINDOWS\system32> New-AzureRmKeyVault -VaultName “skpkeyvault”  -ResourceGroupName “skpkeyvaultgroup” -location “East US”

Vault Name                       : skpkeyvault
Resource Group Name              : skpkeyvaultgroup
Location                         : East US
Resource ID                      : /subscriptions/3a0d1a4f-1d45-4dbc-bb68-891422694ec1/resourceGroups/skpkeyvaultgroup/
providers/Microsoft.KeyVault/vaults/skpkeyvault
Vault URI                        : https://skpkeyvault.vault.azure.net
Tenant ID                        : 9aaa5c65-a5d0-415f-9964-ac32ea83c1b1
SKU                              : Standard
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Access Policies                  :
Tenant ID                :    9aaa5c65-a5d0-415f-9964-xxxxxxxxxxx
Object ID                :    e0a21a69-899e-4f98-bc0d-xxxxxxxxxx
Application ID           :
Display Name             :    satish pandita
(#EXT#@youemailaddresshotmail.onmicrosoft.com)
Permissions to Keys      :    get, create, delete, list, update, import, backup,
restore
Permissions to Secrets   :    all

Provision a Key Encryption Key to add a key or secret to the key Vault

 PS C:\WINDOWS\system32> $key = Add-AzureKeyVaultKey -VaultName ‘skpKeyVault’ -Name ‘skpFirstKey’ -Destination ‘Software’
PS C:\WINDOWS\system32> get-azurekeyvaultkey -vaultname “skpkeyvault”

Vault Name : skpkeyvault
Name       : skpFirstKey
Version    :
Id         : https://skpkeyvault.vault.azure.net:443/keys/skpFirstKey
Enabled    : True
Expires    :
Not Before :
Created    : 5/14/2016 3:04:29 AM
Updated    : 5/14/2016 3:04:29 AM

To see a specific URI Version

PS C:\WINDOWS\system32> $key.key.kid

https://skpkeyvault.vault.azure.net/keys/skpFirstKey/1fc92a75728c4d389997f

Next Register and authorize an application with Azure Active Directory

 

Go to Active Directory Tab and add an application (see screen captures below)

pic1

 

 

 

 

 

 

 

.pic1

 

 

 

 

 

 

Next click on “Add an Application”

pic3

 

 

 

 

 

pic4

 

 

 

 

 

Next Generate the new key and save the key to be generated and click on save button and copy the Client ID and Secret Key, these will be required for enabling encryption

pic5

 

 

 

 

 

 

 

 

 

 

 

 

 

Set Key Vault Access Policy to provide AAD Application the required rights to access keys or secrets in the vault and Enable the Disk Encryption

(in this example my VM “skpvm1” is in “skpvmresourcegroup” and key vault is in “skpkeyvaultgroup”)

$rgName = ‘skpkeyvaultgroup’
 $vmName = ‘skpvm1′
 $aadClientID = “74ece368-e67c-4aad-8b35-38xxxxxxxxx”
$aadClientSecret = ” r1u53gTueP+5On9hRhcHOfMhBNkYH8riecKxxxxxxxx”
$KeyVaultName = ‘skpKeyVault’
$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
 Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all -ResourceGroupName $rgname;
 Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname -EnabledForDiskEncryption
 Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName skpvmresourcegroup -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

The enabling of  encryption will reboot the machine and  can can take take 10-15 minutes to finish.

Verify the Encryption status

 

C:\WINDOWS\system32> Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName  skpvmresourcegroup -VMName skpvm1

OsVolumeEncrypted          : True
OsVolumeEncryptionSettings : {
“diskEncryptionKey”: {
“secretUrl”: “https://skpkeyvault.vault.azure.net/secrets/1528B96D-AA71-4313-AB26-xxxxxxxxxxx
D4/77b94cbbb0ed4d73b9109ef0bxxxxx6”,
“sourceVault”: {
“id”: “/subscriptions/3a0d1a4f-1d45-4dbc-bb68-8914xxxxx/resourceGroups/skpkeyvaultgroup
/providers/Microsoft.KeyVault/vaults/skpkeyvault”
}
},
“keyEncryptionKey”: null,
“enabled”: true
}
DataVolumesEncrypted       : True

To  disable volume encryption

PS C:\WINDOWS\system32> Disable-AzureRmVMDiskEncryption -ResourceGroupName skpvmresourcegroup -VMName skpvm1 -VolumeType All
 PS C:\WINDOWS\system32> Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName skpvmresourcegroup -VMName skpvm1

OsVolumeEncrypted          : False
OsVolumeEncryptionSettings : {
“diskEncryptionKey”: null,
“keyEncryptionKey”: null,

“enabled”: false
}
DataVolumesEncrypted       : False

 Few things to note:

  1. If the OS volume is not encrypted,  then the  data volumes cannot be encrypted
  2. If you add another data volume later, You can explicitly run the PS cmdlets Set-AzureRmVMDiskEncryptionExtension with -Volumetype Data  or ARM template to turn on encryption on the newly added data volume  or if you  reboot the VM.  the bitlocker extension will encrypt any un-encrypted data volumes presuming the VM was previously configured to encrypt data volumes/all volumes.
  3. For bitlocker enabled VMs’ you will notice another  Volume “Bek Volume”, it is  local volume in which the BitLocker keys [secret] are stored locally so that the encrypted OS volume can boot on start/reboot etc. This volume is local to the VM and is not persisted in storage

Special thanks to Anand Kumar-Microsoft Azure PFE for reviewing and assisting with this post. https://social.msdn.microsoft.com/Profile/ranand12

DISCLAIMER: This posting is provided “AS IS” with no warranties and confers no rights

 

 

 

 

 

 

Comments (4)

  1. Red Esparagoza says:

    I noticed that after enabling disk encryption, BEK volume took the drive letter of one of my data disks which is breaking my application. How can I safely change the drive letter of the BEK volume without risking my VM unable to boot because it cannot find the keys locally?

    1. I presume you add the data volume later.
      can u test the following
      disable the volume encryption
      change the drive letter for the data volume that you want to have
      encrypt the volume again

  2. Vic says:

    Can this be applied to Linux VMs? Or is there a doc for encypting disks of a linux vm?

    1. Here is the doc/link on Windows disk Encryption for Linux/Windows
      https://gallery.technet.microsoft.com/Azure-Disk-Encryption-for-a0018eb0
      you can also post your questions on Azure Disk Encryption MSDN Forums
      https://social.msdn.microsoft.com/Forums/en-US/home?forum=AzureDiskEncryption

Skip to main content