Played around with Azure Security Center the today and worked on fixing the security recommendations of the following message
"Disk encryption should be applied on virtual machines". During the process I stumbled upon some issues that needed to be in place for the PowerShell script to work properly. Thought I should make a post about it.
Creating the virtual machine
To enable disk encryption we use Azure Disk Encryption (ADE), Azure Key Vault, the Azure Portal and PowerShell.
The first thing we need to do is to have a virtual machine we can test upon. For this we need to create a new
where we can deploy all necessary resources for the VM. For this I use PowerShell and the cmdlets in the script further down.
The first step in the script, I created the necessary variables needed for the deployment, then added them as parameters in the
cmdlet. By separating the variables from the cmdlets I find it more reusable by just changing the variable values and then execute the cmdlet in different steps.
When running the script below I started with step 1 to load the variables into memory, then executed cmdlet in step 2 for creating the
, then executed step 3 to deploy the virtual machine and step 4 creating username and password to log into the VM.
In the next step I go through the process on how to enable Disk Encryption for the on the VM, now that the VM is up and running.
# Step 1 - Creating variables $ResourceGroupName = "Demo-DiskEncyption-Rg" $VMName = "DemoVM" $Location = "westeurope" $VirtualNetworkName = "DemoVnet" $SubnetName = "DemoSubnet" $SecurityGroupName = "DemoNetworkSecurityGroup" $PublicIpAddressName = "DemoPublicIpAddress" # Step 2 - Creating an Azure Resource Group New-AzResourceGroup -Name $ResourceGroupName -Location $Location -Verbose # Step 3 - Creating an Azure VM New-AzVm ` -ResourceGroupName $ResourceGroupName ` -Name $VMName ` -Location $Location ` -VirtualNetworkName $VirtualNetworkName ` -SubnetName $SubnetName ` -SecurityGroupName $SecurityGroupName ` -PublicIpAddressName $PublicIpAddressName ` -Verbose # Step 4 - When the New-AzVm is executed you will be prompted for usernameand password to create a login user for the VM. # Set username, e.g. adminuser # Set password, e.g. "Something Secure"
Enabling Disk Encryption
In this step a go through the process of how to enable the disk encryption and the resources needed. This involve creating Azure Key Vault for storing the Disk Encryption Key, some modifications in Key Vault Access Policy and Identity permissions on the VM.
Creating Key Vault
First off, we to need create an Azure Key Vault for the encryption keys. We dp this by executing the script below by specifying the name of the Resource Group, name of the Key Vault and the location to store it. Then this will be created within the same Resource Group as the virtual machine.
$ResourceGroupName = "Demo-DiskEncyption-Rg" $KeyVaultName = "DemoKeyVault" $Location = "westeurope" New-AzKeyVault -VaultName $KeyVaultName ` -ResourceGroupName $ResourceGroupName ` -Location $Location
Setting Access Policies and setting Virtual Machine Identity permissions
When the Key Vault is created we need to enable some policies and permission to be able to enable Azure Disk Encryption with PowerShell.
The first setting we need to configure is the Access Policies in the Key Vault blade, this can be done by going to Key Vault in the Azure Portal > Then selecting the Key Vault, in this case DemoDiskEncryKVault > Then go to Access Policies > Click show advanced access policies > Then check Enable access to Azure Disk Encryption for volume encryption > Then click Save.
The second setting is giving access to Azure resources so it can authenticate to cloud services, e.g. Azure Key Vault, without storing credentials in code. These permissions can be changed via Azure role-based-access-control (RBAC). This allows us to enable disk encryption and store keys in the Key Vault.
Enabling Azure Disk Encryption with PowerShell
When we have added the necessary policy and permission settings we can enable the encryption with the following script.
# Variables $ResourceGroupName = "Demo-DiskEncyption-Rg" $VMName = "DemoVM" $Location = "westeurope" $KeyVaultName = "DemoDiskEncrKVault" # Retrive information from Azure Key Vault $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName ` -ResourceGroupName $ResourceGroupName # Get Disk Encryption Key from Key Vault $DiskEncryptionKeyVaultUrl = $KeyVaultName.VaultUri $KeyVaultResourceId = $KeyVaultName.ResourceId $VolumeType = "All" # Enabling Disk Encryption to the specified VM Set-AzVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName ` -VMName $VMName ` -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl ` -DiskEncryptionKeyVaultId $KeyVaultResourceId ` -VolumeType $VolumeType
When the script is complete, when you look in the Azure Portal there should be a small changes under the Disk resource blade connected to the VM. In the Portal you will see the
field changes from
after a refresh, like the image below.
Well that’s about it. Hope you enjoyed!