Table of Contents
- Azure security checks and recommendations
- Disk Encryption:
2.1 Require Managed disk for Disk Encryption
2.2 Process to convert unmanaged to Managed Disk
2.3 Disk Encryption
2.4 Key Vault Creation Process
2.5 Verification of Disk Encryption
- End of Document
Azure VM Disk Encryption
Login to portal https://portal.azure.com =>Virtual Machines => Click on VM => Security => Check Recommendations
One of the Security recommendation “how to encryption Disk” is explained in section 2.
- Only managed disk support Storage Service Encryption (SSE). SSE is enabled by default for all Managed Disks.
- Current VM Disk is not Managed Disk.
- Migration to Managed Disk is not reversible.
- The conversion requires a restart of the VM
You can convert unmanaged disks to managed disks using the Azure portal.
- Sign in to the Azure portal.
- Select the VM from the list of VMs in the portal.
- In the blade for the VM, select Disks from the menu.
- At the top of the Disks blade, select Migrate to managed disks.
- If your VM is in an availability set, there will be a warning on the Migrate to managed disks blade that you need to convert the availability set first. The warning should have a link you can click to convert the availability set. Once the availability set is converted or if your VM is not in an availability set, click Migrate to start the process of migrating your disks to managed disks.
This VM is not in any Availability Set, hence step 5 not applicable.
- The VM will be stopped and restarted after migration is complete.
- Azure Disk Encryption is only supported on specific Azure Gallery based server.
- Disk encryption support only below Linux VM.
- Supported Linux VM’s https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-faq#what-linux-distributions-does-azure-disk-encryption-support
- If provisioned VM in above list, create Vault.
- Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.
- Execute commands on Azure portal PowerShell mentioned in section 2.4.
#Create an Azure AD application and service principal
$aadClientSecret = ConvertTo-SecureString “Test@123456” -AsPlainText -Force
$azureAdApplication = New-AzureRmADApplication -DisplayName “Keyvault Encryption App” -HomePage “https://nirajencryptionapp” -IdentifierUris “https://nirajencryptionapp” -Password $aadClientSecret
$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId
#Create a Key Vault
$keyVaultName = “nirajKeyVault”
$keyVault = New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName “RG02” -Location “EastUS”
# Get status of KeyVault registration
Get-AzureRmResourceProvider -ListAvailable | Where-Object ProviderNameSpace -Match “keyvault”
Get-AzureRmResourceProvider -ListAvailable | Where-Object ProviderNameSpace -Match “keyvault” | Register-AzureRmResourceProvider
#Add access for the Azure AD application on the Key Vault
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $servicePrincipal.ApplicationId -PermissionsToKeys ‘WrapKey’ -PermissionsToSecrets ‘Set’ -ResourceGroupName “RG02”
#Add access for the Azure platform to access the Key Vault
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption
az vm encryption enable –resource-group “RG02” –name “NIRAJ-MIMSRV01” –disk-encryption-keyvault “nirajKeyVault” –volume-type All
Once Disk Encrypted will display in portal
Or you can check it via powershell
Note: If VM (Linux) not in list, you will get following error.
az vm encryption enable –resource-group “DefaultResourceGroup-EUS” –name “NIRAJ-LINUX02” –disk-encryption-keyvault “Niraj-Linux-KeyVault” –volume-type All
VM has reported a failure when processing extension ‘AzureDiskEncryptionForLinux’. Error message: “OS volume encryption is not supported on Ubuntu 18.04”.