Enabling disk encryption on Virtual Machines in Azure

Played around with Azure Security Center the today and worked on fixing the security recommendations of the following message "Disk encryption should be applied on virtual machines". During the process I stumbled upon some issues that needed to be in place for the PowerShell script to work properly. Thought I should make a post about it.

Creating the virtual machine

To enable disk encryption we use Azure Disk Encryption (ADE), Azure Key Vault, the Azure Portal and PowerShell.
The first thing we need to do is to have a virtual machine we can test upon. For this we need to create a new Resource Group where we can deploy all necessary resources for the VM. For this I use PowerShell and the cmdlets in the script further down.

The first step in the script, I created the necessary variables needed for the deployment, then added them as parameters in the New-AzResourceGroup and New-AzVm cmdlet. By separating the variables from the cmdlets I find it more reusable by just changing the variable values and then execute the cmdlet in different steps.

When running the script below I started with step 1 to load the variables into memory, then executed cmdlet in step 2 for creating the Resource Group, then executed step 3 to deploy the virtual machine and step 4 creating username and password to log into the VM.

In the next step I go through the process on how to enable Disk Encryption for the on the VM, now that the VM is up and running.

# Step 1 - Creating variables
$ResourceGroupName = "Demo-DiskEncyption-Rg"
$VMName = "DemoVM"
$Location = "westeurope"
$VirtualNetworkName = "DemoVnet"
$SubnetName = "DemoSubnet"
$SecurityGroupName = "DemoNetworkSecurityGroup"
$PublicIpAddressName = "DemoPublicIpAddress"

# Step 2 - Creating an Azure Resource Group
New-AzResourceGroup -Name $ResourceGroupName -Location $Location -Verbose

# Step 3 - Creating an Azure VM
New-AzVm `
    -ResourceGroupName $ResourceGroupName `
    -Name $VMName `
    -Location $Location `
    -VirtualNetworkName $VirtualNetworkName `
    -SubnetName $SubnetName `
    -SecurityGroupName $SecurityGroupName `
    -PublicIpAddressName $PublicIpAddressName `
    -Verbose

# Step 4 - When the New-AzVm is executed you will be prompted for usernameand password to create a login user for the VM.
# Set username, e.g. adminuser
# Set password, e.g. "Something Secure"

Enabling Disk Encryption

In this step a go through the process of how to enable the disk encryption and the resources needed. This involve creating Azure Key Vault for storing the Disk Encryption Key, some modifications in Key Vault Access Policy and Identity permissions on the VM.

Creating Key Vault

First off, we to need create an Azure Key Vault for the encryption keys. We dp this by executing the script below by specifying the name of the Resource Group, name of the Key Vault and the location to store it. Then this will be created within the same Resource Group as the virtual machine.

$ResourceGroupName = "Demo-DiskEncyption-Rg"
$KeyVaultName = "DemoKeyVault"
$Location = "westeurope"
New-AzKeyVault -VaultName $KeyVaultName `
    -ResourceGroupName $ResourceGroupName `
    -Location $Location

Setting Access Policies and setting Virtual Machine Identity permissions

When the Key Vault is created we need to enable some policies and permission to be able to enable Azure Disk Encryption with PowerShell.

The first setting we need to configure is the Access Policies in the Key Vault blade, this can be done by going to Key Vault in the Azure Portal > Then selecting the Key Vault, in this case DemoDiskEncryKVault > Then go to Access Policies > Click show advanced access policies > Then check Enable access to Azure Disk Encryption for volume encryption > Then click Save.

Enabling access to Azure Disk Encryption for volume encryption

The second setting is giving access to Azure resources so it can authenticate to cloud services, e.g. Azure Key Vault, without storing credentials in code. These permissions can be changed via Azure role-based-access-control (RBAC). This allows us to enable disk encryption and store keys in the Key Vault.

Enabling Identity permissions to Azure resources

Enabling Azure Disk Encryption with PowerShell

When we have added the necessary policy and permission settings we can enable the encryption with the following script.

# Variables
$ResourceGroupName = "Demo-DiskEncyption-Rg"
$VMName = "DemoVM"
$Location = "westeurope"
$KeyVaultName = "DemoDiskEncrKVault"

# Retrive information from Azure Key Vault
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName `
                               -ResourceGroupName $ResourceGroupName

# Get Disk Encryption Key from Key Vault
$DiskEncryptionKeyVaultUrl = $KeyVaultName.VaultUri
$KeyVaultResourceId = $KeyVaultName.ResourceId
$VolumeType = "All"

# Enabling Disk Encryption to the specified VM
Set-AzVMDiskEncryptionExtension -ResourceGroupName $ResourceGroupName `
    -VMName $VMName `
    -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl `
    -DiskEncryptionKeyVaultId $KeyVaultResourceId `
    -VolumeType $VolumeType

When the script is complete, when you look in the Azure Portal there should be a small changes under the Disk resource blade connected to the VM. In the Portal you will see the Description field changes from Not Enabled to Enabled after a refresh, like the image below.

Disk Encryption enabled

Well that’s about it. Hope you enjoyed!