How to Encrypt Disks on Azure VMs using PowerShell

In my previous post, I showed you how to create a Key Vault. Today I will show you how to use that Key Vault to store the encryption key and then encrypt the disks of your virtual machines in Azure with PowerShell. Requirements: This tutorial assumes that you already have a Microsoft Azure account set up and you have an Azure Key Vault. To learn how to create a Key Vault, see this link. Important: The Azure Key Store that contains the cryptographic keys and associated resources, such as storage and the virtual machine, must be in the same region.

Azure PowerShell Workaround #

If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Set the variables Here, we define the characteristics of our environment

$resourceGroupName = "RG-DEMO"
$location = "west europe"
$vm = "VM-ARM-2016"
$keyVaultName = "KV-DEMO-PS"

Azure Key Vault Access Policy #

Before you start working with the Key Vault, you must grant your user permission to perform operations with the Key Vault. To perform this task, you must use the Set-AzKeyVaultAccessPolicy cmdlet.

Get-AzADUser

$objID=(Get-AzADUser -DisplayName <String>).Id

Set-AzKeyVaultAccessPolicy `
    -VaultName $keyVaultName `
    -ResourceGroupName $resourceGroupName `
    -ObjectId $objID `
    -PermissionsToKeys create,delete,list,get,verify,encrypt,wrapkey

Create a cryptographic key #

To perform the encryption of the disks, you must create an essential component, an encryption key that must be stored in the Key Vault. For this, you must use the Add-AzKeyVaultKey cmdlet with the following syntax:

Add-AzKeyVaultKey `
    -VaultName $keyVaultName `
    -Name "crypKey" `
    -Destination "Software"

- Destination Specifies whether to add the key as a software-protected key or a Hardware-protected key in the Key Vault service. Valid values are HSM and Software. Using an HSM requires a premium Key Vault.

>

#

The “CrypKey” is the name I chose for the encryption key, you can choose the name of your encryption key.

Check Azure VM status #

Once the encryption key has been created, we will check that the machine is “Running”, and the disks are not encrypted.

Get-AzVM `
    -ResourceGroupName $resourceGroupName \`
    -VMName $vm `
    -Status `
    | select-object Name, @{n="Running Status"; e={$_.Statuses[1].DisplayStatus}}

Get-AzVmDiskEncryptionStatus `
    -ResourceGroupName $resourceGroupName `
    -VMName $vm

Encrypt a virtual machine #

Once we have verified that the virtual machine is not already encrypted and is in the “Running” state. We can start the encryption process, to perform this task we will use the Set-AzVMDiskEncryptionExtension cmdlet with the following syntax:

$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri
$keyVaultResourceId = $keyVault.ResourceId
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name CrypKey).Key.Kid

Set-AzVMDiskEncryptionExtension `
    -ResourceGroupName $resourceGroupName `
    -VMName $vm `
    -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
    -DiskEncryptionKeyVaultId $keyVaultResourceId `
    -KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
    -KeyEncryptionKeyVaultId $keyVaultResourceId

Once the encryption process is completed and the virtual machine is rebooted, you can verify the encryption status by using the Get-AzVmDiskEncryptionStatus cmdlet.

Thanks for reading my post. I hope you find it useful.

If you want to know more about Azure Disk Encryption, check out this link.