Explore Azure Disk Encryption with Azure Powershell

Hi (Security) Community!

Two days ago, we announced the public preview for Azure Disk Encryption supporting both Windows Server and Linux VMs. I am sure everyone has seen the detailed whitepaper and already started encrypting your VMs using the ARM template samples we provided. Now, we know the community loves PowerShell and everything that you can perform and automate using the latest cmdlets. So, based on feedback, we thought it would be valuable to share a little more on how you can use the Azure Disk Encryption cmdlets to automate monitoring or generating some reports for your VMs in Azure.  This post comes from Sudhakar Evuri, a Senior Software Engineer in the Azure Security engineering team.

Today, we would like to walk you through three different scenarios:

  1. How to enable Azure Disk Encryption on IaaS VMs that are running in Azure
  2. How to show encryption status of all your virtual machines
  3. How to enumerate the encryption secrets in a given Key Vault

Note:
After you’re done trying out the steps in this article, make sure to check out Explore Azure Disk Encryption with Azure PowerShell – Part 2 for more advanced scenarios.

Prerequisites

To get you started, here are some important prerequisites that must be completed in advance on any Azure virtual machine you wish to launch these scripts: 

  1. Azure subscription: A valid Azure subscription is needed to use Azure Disk Encryption. Visit https://azure.microsoft.com/en-us/pricing/purchase-options/ to get one.
  2. Azure PowerShell: Please use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell version 1.2.1. Azure Disk Encryption is NOT supported by Azure SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0.
  3. Azure Key Vault: Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. Please refer to the Azure Key Vault – Step by Step blog post for more details on how to setup a Key Vault in Azure. In order to make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VM to be co-located in the same region. Please create and use a Key Vault that is in the same region as the VM to be encrypted.
  4. Azure Active Directory Client ID and Secret: In order to write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the specified Key Vault. Please refer to the Azure Key Vault – Step by Step blog post for more detail on how to get the Azure Active Directory Client ID and Client Secret using Azure portal.
  5. IaaS VM in Azure: Azure Disk Encryption works only on IaaS VMs (virtual machines created using the Azure Resource Management model). Please refer to Different ways to create a Windows virtual machine with Resource Manager for information on how to create IaaS virtual machines in Azure. Please create a VM in the same region as the Key Vault. Latest gallery images in Azure are optimized to finish encryption operation quickly. So it is recommended to create VMs using the latest gallery images.

Encrypt the IaaS Virtual Machine

Now that you have all the prerequisites completed and in place, let’s walk through the process of enabling encryption on an IaaS VM:

First, please have the VM, Key Vault, and Azure AD (AAD) application details ready as described in Prerequisites section.

Next, you must logon to Azure and select your subscription. To logon to your subscription, launch Microsoft Azure PowerShell by searching for programs in the Windows Start menu.

Use the below cmdlet to login to your Azure account.

Login-AzureRmAccount

Once logged in, use the below cmdlet to get the list of your available subscriptions.

Get-AzureRmSubscription

 and then, select the subscription in which your resources are available.

Select-AzureRmSubscription -SubscriptionName "<your subscription name>"

Once you have the specific subscription selected, you will need to initialize some variables with the details of resource group, key vault, VM and AAD app that will be used in subsequent cmdlets. The resource group, VM, Key Vault and the AAD app used below should have already been created as pre-requisites.

$rgName = 'MySecureRg';

 

$vmName = 'mysecurevm';

 

$aadClientID = <your-aad-client-id>;

$aadClientSecret = <your-aad-client-secret>;

 

$KeyVaultName = 'MySecureVault';

$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;

$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;

$KeyVaultResourceId = $KeyVault.ResourceId;

In the process of enabling encryption on a VM, the generated encryption secrets will be written to the specified Key Vault. The AAD app credentials initialized above will be used to authenticate against Azure Active Directory and write secrets to Azure Key Vault. So the AAD application needs to be authorized to write secrets to Key Vault. Next, set the Key Vault access policies to allow the specified Azure AD application to write secrets to Key Vault:

Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all -ResourceGroupName $rgname;

The Azure fabric needs to access encryption secrets in order to boot the encrypted VM. Use the below cmdlet to set Key Vault access policies to allow Azure platform access the encryption secrets placed in the Key Vault.

Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname –EnabledForDiskEncryption

The last, but most important step, is to actually encrypt the VM. Use the Set-AzureRmVmDiskEncryptionExtension cmdlet to enable encryption on the VM. This cmdlet prepares the machine for encryption, writes encryption secrets to the specified Key Vault using the specified AAD credentials, and then starts encryption on the VM. This cmdlet is a long running operation and may need to reboot the VM. We advise you to save your work before running this cmdlet. This cmdlet uses the variables initialized above. It is recommended to create IaaS VMs using the latest gallery images to quickly enable encryption.

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

If you are successful, you should see the following output confirming the VM encryption was successful: 

Enable AzureDiskEncryption on the VM

This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10-15 minutes to finish.

Please save your work on the VM before confirming. Do you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

Status : Succeeded

StatusCode : OK

RequestId : 23a4e8fb-9118-4fe3-8458-4a84de2b9f7f

Output :

Error :

StartTime : 11/9/2015 7:30:26 PM -08:00

EndTime : 11/9/2015 7:30:48 PM -08:00

TrackingOperationId : c5102266-78ea-4c6e-ab6b-8089f1ba9898

Please refer to the Set-AzureRmVmDiskEncryptionExtension cmdlet for full list options and details.

Once you have enabled and deployed an encrypted VM, the Get-AzureRmVmDiskEncryptionStatus cmdlet displays encryption status of OS volume, data volumes and the encryption secret Key Vault URLs of OS volume.

Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName

 You should be able to see that both the OS volume and the data volumes are now encrypted:

OsVolumeEncrypted : True

OsVolumeEncryptionSettings : {

                               "DiskEncryptionKey": {

                                 "SecretUrl": "https://mysecurevault.vault.azure.net/secrets/FA44FF92-91F0-4312-A1E8-224B78BEF1D5/4be86eb63702468386c9e770b7fc352c",

                                 "SourceVault": {

                                   "ReferenceUri": "/subscriptions/0ee9d577-9bc4-4a32-a4e8-c29981025378/resourceGroups/MySecureRg/providers/Microsoft.Key Vault/vaults/MySecureVault"

                                 }

                               },

                               "KeyEncryptionKey": null

                             }

DataVolumesEncrypted : True

 Get a list of all encrypted VMs in your subscription

If you have multiple VMs in your subscription and you want to list the OS volume and data volumes encryption status for all VMs to see which of the VMs are encrypted, the below cmdlets show you how to do that.

$osVolEncrypted = {(Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $_.ResourceGroupName -VMName $_.Name).OsVolumeEncrypted}

$dataVolEncrypted= {(Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName $_.ResourceGroupName -VMName $_.Name).DataVolumesEncrypted}

Get-AzureRmVm | Format-Table @{Label="MachineName"; Expression={$_.Name}}, @{Label="OsVolumeEncrypted"; Expression=$osVolEncrypted}, @{Label="DataVolumesEncrypted"; Expression=$dataVolEncrypted}

Here is one way you can see the list of VMs that are encrypted in a structured output:

MachineName OsVolumeEncrypted DataVolumesEncrypted

----------- ----------------- --------------------

mysecurevm True True

mywindvm11 True True

mywindvm12 False False

mywindvm13 False False

mywindvm14 False False

mywindvm15 True False 

Get a list of all disk encryption secrets used for encrypting VM in your subscription

The Azure Disk Encryption functionality uploads encryption secrets corresponding to all the volumes into the Key Vault specified while enabling encryption. If you would like to see all the disk encryption secrets in a given Key Vault written by Azure Disk Encryption and the corresponding machine names and volume letters, the following syntax will provide that report for you:

Get-AzureKeyVaultSecret -VaultName $KeyVaultName | where {$_.Tags.ContainsKey('DiskEncryptionKeyFileName')} | format-table @{Label="MachineName"; Expression={$_.Tags['MachineName']}}, @{Label="VolumeLetter"; Expression={$_.Tags['VolumeLetter']}}, @{Label="EncryptionKeyURL"; Expression={$_.Id}}

It will be structured and displayed in similar format:

MachineName Volume EncryptionKeyURL

----------- ------ ----------------

MYSECUREVM D:        https://mysecurevault.vault.azure.net:443/secrets/7832CE5C-A252-4E50-B3CC-2A1630F2B279

MYSECUREVM C:        https://mysecurevault.vault.azure.net:443/secrets/FA44FF92-91F0-4312-A1E8-224B78BEF1D5

We hope the above PowerShell cmdlets and scripts will get you started in encrypting all your VMs and we look forward to your feedback and what other capabilities you would like to see or deployed in Azure.

Sudhakar Evuri
Senior Software Engineer

 

image

Comments

  • Anonymous
    December 13, 2015
    I don't know what I am doing wrong I just get this "Unknown error encountered when retrieving https://..... from the Key Vault" error when preparing the VM. Followed to the letter.

  • Anonymous
    December 14, 2015
    Hi Frank - Thanks for letting us know - we're following up on this. Tom

  • Anonymous
    February 02, 2016
    The AADClientSecret used to set up disk encryption has a maximum life of two years. Is there a way to update the AAD Secret without having to unencrypt and reencrypt the drives?

  • Anonymous
    February 19, 2016
    i am doing some testing with key vault and encryption.  I had two vaults.  I successfully moved secrets to second vault, and then deleted first vault.  Not my VM was registered with first vault.  How to I modify so he can read secrets in second vault ?

  • Anonymous
    February 19, 2016
    how do you recover from a deleted vault.  I had all secrets in two vaults and ant to point VM to recovery vault ?

  • Anonymous
    February 19, 2016
    Hi Jeff - Excellent question! Let me ask around and see if I can find an answer for you. Thanks! Tom

  • Anonymous
    February 21, 2016
    Thanks Tom.  Looking forward to a reply.