The solution supports the following scenarios for IaaS VMs when
they are enabled in Microsoft Azure:
·
Integration with Azure Key Vault
·
Enable encryption on Windows and
Linux IaaS VMs and managed disk VMs from the supported Azure Gallery images
·
Disable encryption on OS and data
drives for Windows IaaS VMs and managed disk VMs
·
Disable encryption on data drives
for Linux IaaS VMs and managed disk VMs
·
Enable encryption on IaaS VMs
running Windows Client OS
·
Enable encryption on volumes with
mount paths
·
Enable encryption on Linux VMs
configured with disk striping (RAID) using mdadm
·
Enable encryption on Linux VMs
using LVM for data disks
·
Enable encryption on Linux LVM 7.3
for OS and data disks
·
Enable encryption on Windows VMs
configured with Storage Spaces
·
Update encryption settings of an
existing encrypted premium and non-premium storage VM
·
Backup and restore of encrypted VMs,
for both no-KEK and KEK scenarios (KEK - Key Encryption Key)
·
All Azure Public and AzureGov
regions are supported
The solution does not support the following scenarios, features,
and technology:
·
Basic tier IaaS VMs
·
Disabling encryption on an OS drive for Linux IaaS VMs
·
Disabling encryption on a data drive if the OS drive is encrypted
for Linux Iaas VMs
·
IaaS VMs that are created by using the classic VM creation method
·
Enable encryption on Windows and Linux IaaS VMs customer custom
images is NOT supported.
·
Integration with your on-premises Key Management Service
·
Azure Files (shared file system), Network File System (NFS),
dynamic volumes, and Windows VMs that are configured with software-based RAID
systems.
A.
STEPS TO BE FOLLOWED IN ENABLING DISK ENCRYPTION
Enabling Disk Encryption in Azure Windows VMs will
require below mentioned steps.
1. To
Create Azure AD Application:
To create an Azure AD
Application ID, we would require Global admin ID or Global Admin permissions on
the Azure subscriptions.
1.
First, we need to create an Azure Active
Directory Application. Login to Azure
Portal à Azure Active Directory. Go to App registrations. Click on New application registration.
2.
Give the Appropriate Name and Sign-On URL and
Click on Create
3.
Once the Azure Active Directory(AAD)
Application is created, please note the Application
ID generated. This will be referred as $ClientID.
4.
Now we need to setup a key for the AAD
Application. To setup the Key, click on Settings à Keys.
5.
Under Passwords,
enter the Description and enter
the Expiry as Never
Expires. Click on Save. Once
you click on Save, a Secret Value will be generated. This will be referred as $ClientSecret.
Please Copy the value without fail as
you won’t be able to retrieve the value after you leave the blade.
2. Creating
Azure Key Vault and its Key:
Once the AAD application is created and we
get the Application ID (ClientID) and AAD Application Key Secret ID
(ClientSecret), we need to create a Key
Vault in Azure Portal.
1.
Go to Azure Portalà
Search for Key Vaultsà Click
on Add. Enter All the Necessary
Details Like Name, Resource Group,
Pricing Tier and Access Policies.
2.
Under Access
Policies, Click on Add New and Select the AAD Application that was created in earlier steps. Select All
options under Key permissions and Secret permissions except Purge.
3.
Once AAD Application has been added in Access
Policies, click on Create.
4.
After the Key Vault is created, go to
Properties and make note of the Resource
ID and DNS Name. This will be
referred as $kvResourceID and $kvURL respectively.
Resource
ID = $kvResourceID
DNS
Name = $kvURL
5.
Go to Access Policies, click on “Click to show Advanced access policies” and
click all 3 options given. Click Save.
6.
Next step will be to create Keys for the key
vaults. Click on Keysà Generate/Import. Select
Generate and provide appropriate Name.
Verify all the default option are selected as
given and Click on Create.
7.
Click on the Key created and verify all the
necessary permissions are there. Copy and note the Key Identifier generated. This is referred to as $kvKeyID.
After you have completed above steps, you should have
below information available with you.
This above information will be helpful in implementing
Disk Encryption in Azure VMs.
$ClientID
$ClientSecret
$kvResourceID
$kvURL
$kvKeyID
Important Note: Key
vault and keys created for a region should be used for VMs in that region only
for Disk Encryption. In short, Disk Encryption will fail if you use encryption
keys information from one region and apply to VM from another region.
3. Implementing
Disk Encryption scripts on Azure VMs.
Below steps should be followed to perform Disk Encryption
on a VM.
1.
Backup each VHDs of the VM from MS Azure
Storage Explorer
·
Before applying the Disk Encryption script on
the VM, make sure to backup each VHDs of a VM using Azure Storage Explorer.
·
Locate the storage account where VM VHDs are
kept. Create a backup container on that storage account.
·
De-Allocate/Turn-Off the VM from Azure portal.
·
Copy all VHDs from source container to the
new backup container created.
·
Turn-On the VM.
2.
Run the below script by login to the Azure RM
account in Windows powershell using Global
Admin ID.
Set-AzureRmVMDiskEncryptionExtension
-ResourceGroupName <ResourcegroupofVM> -VMName
<VM
name> -AadClientID
<$ClientID> -AadClientSecret
<$ClientSecret> -DiskEncryptionKeyVaultUrl
<$kvURL> -DiskEncryptionKeyVaultId
<$kvResourceID> -KeyEncryptionKeyUrl
<$kvKeyID> -KeyEncryptionKeyVaultId
<$kvResourceID> -VolumeType All
-Verbose
3.
Once you executed the above statement, VM
will be rebooted and encryption process for each VHD (Disk Volume) in the VM
will start. Time taken to complete encryption depends upon the size of the data
and disk volume.
4.
During the Encryption process, all the data
will be available to login user and application. Hence, only downtime during
VHD backups and during reboot of the VM once Encryption script is executed.
4. Register
Permission for Backups
Note: Backup and restore of encrypted VMs is
supported only for VMs that are encrypted with the KEK configuration. It is not
supported on VMs that are encrypted without KEK. KEK is an optional parameter that
enables VM encryption.
By running the below statement, we can check whether the
Disk Encryption is done with KEK encryption.
$rgName = ‘’ # Resource Group
Name of VM
$vmName = ‘’ # VM Name
Get-AzureRmVM -ResourceGroupName
$rgname -VMName
$vmName -DisplayHint
Expand
BEK
KEK
We need to ensure that once the VM is encrypted, we must
register the Backup permissions in the Key vault. To do this follow the below
steps.
1.
Login to Azure Portal using Global Admin
Accountà
Search for Key Vaultsà
Select the Key Vault one created.
2.
Go to Access Policiesà Add New. Chose Azure Backup from configure from templateà
Click OK
3.
Principal Name “Backup Management service” will be added under Access policies.
4.
Refer the below MS Link as well
5.
Once
the permissions are applied, we can enable Backup for the VM.
5. Checking
the status of the encryption
One can check the Disk Encryption status of the VM by
running the below query.
$rgName
= ‘’ # Resource Group Name of VM
$vmName
= ‘’ # VM Name
Get-AzureRmVmDiskEncryptionStatus
-ResourceGroupName $rgName
-VMName $vmName
6. References
