Azure and Full Disk Encryption
Introduction
Here is a small tutorial on encrypting a Microsoft Azure virtual machine disk.
Preparing the Azure Virtual Machine
Enable the Azure Key Vault provider within your Azure subscription.
$ az provider register -n Microsoft.KeyVault
Create a resource group in your favorite location (keep in mind different locations enable different features, some VM sizes are not available in other locations).
$ az group create \
--name testResourceGroup \
--location centralus
Create an Azure Key Vault and enable the Key Vault for use with disk encryption.
$ az keyvault create \
--name testKeyVault \
--resource-group testResourceGroup \
--location centralus \
--enabled-for-disk-encryption True
Create a cryptographic key in your Key Vault.
$ az keyvault key create \
--vault-name testKeyVault \
--name testKey \
--protection software
Create a service principal using Azure Active Directory, which handles the authentication and exchange of cryptographic keys from Key Vault.
$ az ad sp create-for-rbac
Set permissions on your Key Vault.
$ az keyvault set-policy \
--name testKeyVault --spn $sp_id \
--key-permissions wrapKey \
--secret-permissions set
Create a VM and attach a 10Gb data disk. Keep in mind that only certain marketplace images support disk encryption.
$ az vm create \
--resource-group testResourceGroup \
--name testVM \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys \
--data-disk-sizes-gb 10
SSH to your VM using the publicIpAddress
shown in the output of the preceding command, create a partition and filesystem, then mount the data disk. Start encrypting your VM.
$ az vm encryption enable \
--resource-group testResourceGroup \
--name testVM \
--aad-client-id $sp_id \
--aad-client-secret $sp_password \
--disk-encryption-keyvault testKeyVault \
--key-encryption-key testKey \
--volume-type all
Encryption process will take some time to complete, you can monitor the status of the encryption; for now, it will show EncryptionInProgress
:
$ az vm encryption show \
--resource-group testResourceGroup \
--name testVM
When the status for the OS disk reports VMRestartPending
, restart your virtual machine.
$ az vm restart \
--resource-group testResourceGroup \
--name testVM
The disk encryption process is finalised during the boot process, so wait a few minutes before checking the status of encryption again. The status should report that both OS disk and data disk are Encrypted
.
$ az vm encryption show \
--resource-group testResourceGroup \
--name testVM