Azure and Full Disk Encryption

May 25, 2018    Article    382 words    2 mins read


Here is a small tutorial on encrypting a Microsoft Azure virtual machine disk.

Preparing the Azure Virtual Machine

Enable the Azure Key Vault provider within your Azure subscription.

$ az provider register -n Microsoft.KeyVault

Create a resource group in your favorite location (keep in mind different locations enable different features, some VM sizes are not available in other locations).

$ az group create \
    --name testResourceGroup \
    --location centralus

Create an Azure Key Vault and enable the Key Vault for use with disk encryption.

$ az keyvault create \
    --name testKeyVault \
    --resource-group testResourceGroup \
    --location centralus \
    --enabled-for-disk-encryption True

Create a cryptographic key in your Key Vault.

$ az keyvault key create \
    --vault-name testKeyVault \
    --name testKey \
    --protection software

Create a service principal using Azure Active Directory, which handles the authentication and exchange of cryptographic keys from Key Vault.

$ az ad sp create-for-rbac

Set permissions on your Key Vault.

$ az keyvault set-policy \
    --name testKeyVault --spn $sp_id \
    --key-permissions wrapKey \
    --secret-permissions set

Create a VM and attach a 10Gb data disk. Keep in mind that only certain marketplace images support disk encryption.

$ az vm create \
    --resource-group testResourceGroup \
    --name testVM \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys \
    --data-disk-sizes-gb 10

SSH to your VM using the publicIpAddress shown in the output of the preceding command, create a partition and filesystem, then mount the data disk. Start encrypting your VM.

$ az vm encryption enable \
    --resource-group testResourceGroup \
    --name testVM \
    --aad-client-id $sp_id \
    --aad-client-secret $sp_password \
    --disk-encryption-keyvault testKeyVault \
    --key-encryption-key testKey \
    --volume-type all

Encryption process will take some time to complete, you can monitor the status of the encryption; for now, it will show EncryptionInProgress:

$ az vm encryption show \
    --resource-group testResourceGroup \
    --name testVM

When the status for the OS disk reports VMRestartPending, restart your virtual machine.

$ az vm restart \
    --resource-group testResourceGroup \
    --name testVM

The disk encryption process is finalised during the boot process, so wait a few minutes before checking the status of encryption again. The status should report that both OS disk and data disk are Encrypted.

$ az vm encryption show \
    --resource-group testResourceGroup \
    --name testVM

Additional info