Azure VM Disk Encryption

Table of Contents

  1. Azure security checks and recommendations
  2. Disk Encryption:
    2.1 Require Managed disk for Disk Encryption
    2.2 Process to convert unmanaged to Managed Disk
    2.3 Disk Encryption
    2.4 Key Vault Creation Process
    2.5 Verification of Disk Encryption
  3. End of Document

Azure VM Disk Encryption

1. Azure security checks and recommendations

Login to portal https://portal.azure.com  =>Virtual Machines => Click on VM => Security => Check Recommendations

One of the Security recommendation “how to encryption Disk” is explained in section 2.

2. Disk Encryption:

2.1 Require Managed disk for Disk Encryption

  • Only managed disk support Storage Service Encryption (SSE). SSE is enabled by default for all Managed Disks.
  • Current VM Disk is not Managed Disk.
  • Migration to Managed Disk is not reversible.
  • The conversion requires a restart of the VM

2.2 Process to convert unmanaged to Managed Disk

You can convert unmanaged disks to managed disks using the Azure portal.

  1. Sign in to the Azure portal.
  2. Select the VM from the list of VMs in the portal.
  3. In the blade for the VM, select Disks from the menu.
  4. At the top of the Disks blade, select Migrate to managed disks.
  1. If your VM is in an availability set, there will be a warning on the Migrate to managed disks blade that you need to convert the availability set first. The warning should have a link you can click to convert the availability set. Once the availability set is converted or if your VM is not in an availability set, click Migrate to start the process of migrating your disks to managed disks.

This VM is not in any Availability Set, hence step 5 not applicable.

  1. The VM will be stopped and restarted after migration is complete.

2.3 Disk Encryption

2.4 Key Vault Creation Process

#Create an Azure AD application and service principal

$aadClientSecret = ConvertTo-SecureString “Test@123456” -AsPlainText -Force

$azureAdApplication = New-AzureRmADApplication -DisplayName “Keyvault Encryption App” -HomePage “https://nirajencryptionapp” -IdentifierUris “https://nirajencryptionapp” -Password $aadClientSecret

$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId

#Create a Key Vault

$keyVaultName = “nirajKeyVault”

$keyVault = New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName “RG02” -Location “EastUS”

# Get status of KeyVault registration

Get-AzureRmResourceProvider -ListAvailable | Where-Object ProviderNameSpace -Match “keyvault”

#Re-register KeyVault

Get-AzureRmResourceProvider -ListAvailable | Where-Object ProviderNameSpace -Match “keyvault” | Register-AzureRmResourceProvider

#Add access for the Azure AD application on the Key Vault

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $servicePrincipal.ApplicationId -PermissionsToKeys ‘WrapKey’ -PermissionsToSecrets ‘Set’ -ResourceGroupName “RG02”

#Add access for the Azure platform to access the Key Vault

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption

az vm encryption enable –resource-group “RG02” –name “NIRAJ-MIMSRV01” –disk-encryption-keyvault “nirajKeyVault” –volume-type All

2.5 Verification of Disk Encryption

Once Disk Encrypted will display in portal

Or you can check it via powershell

Note: If VM (Linux) not in list, you will get following error.

az vm encryption enable –resource-group “DefaultResourceGroup-EUS” –name “NIRAJ-LINUX02” –disk-encryption-keyvault “Niraj-Linux-KeyVault” –volume-type All

VM has reported a failure when processing extension ‘AzureDiskEncryptionForLinux’. Error message: “OS volume encryption is not supported on Ubuntu 18.04”.

3. End of Document

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *