Exercise - Encrypt existing VM disks

  • 20 minutes

Suppose you're developing a financial-management app for new business startups. You want to ensure that all your customers' data is secured. So, you decided to implement Azure Disk Encryption (ADE) across all OS and data disks on the servers that host this app. As part of your compliance requirements, you also need to be responsible for your own encryption key management.

In this unit, you encrypt disks on an existing virtual machine (VM), and manage the encryption keys using your own Azure Key Vault.

Prepare the environment

You start by deploying a new Windows VM in an Azure VM.

Deploy Windows VM

To create and deploy a new Windows VM, use the Azure PowerShell window at the right.

  1. To hold the selected location, define a PowerShell variable. Use the same region as the resource group.

    $location = (Get-AzResourceGroup -name <rgn>[sandbox Resource Group]</rgn>).location

    Tip

    You can use the Copy button to copy commands to the clipboard. To paste, right-click on a new line in the Cloud Shell terminal and select Paste, or use the Shift+Insert keyboard shortcut (⌘+V on macOS).

  2. Next, define a few more convenient variables to capture the name of the VM and the resource group. You're using the precreated resource group here. Normally, you'd create a new resource group in your subscription using New-AzResourceGroup.

    $vmName = "fmdata-vm01"
$rgName = "<rgn>[sandbox Resource Group]</rgn>"

  3. To create a new VM, use New-AzVm:

    New-AzVm `
    -ResourceGroupName $rgName `
    -Name $vmName `
    -Location $location `
    -OpenPorts 3389

    When Cloud Shell prompts you, enter a username and password for the VM. This information is used as the initial account created for the VM.

    Note

    This command will use some defaults because we didn't supply many options. Specifically, it creates a Windows 2016 Server image with the size set to Standard_DS1_v2. Remember that the Basic tier VMs don't support ADE if you decide to specify the VM size.

  4. After the VM finishes deploying, capture the VM details in a variable. You can use this variable to explore what you created:

    $vm = Get-AzVM -Name $vmName -ResourceGroupName $rgName

  5. You can use the following code to confirm the OS disk attached to the VM:

    $vm.StorageProfile.OSDisk

    OsType                  : Windows
EncryptionSettings      :
Name                    : fmdata-vm01_OsDisk_1_6bcf8dcd49794aa785bad45221ec4433
Vhd                     :
Image                   :
Caching                 : ReadWrite
WriteAcceleratorEnabled :
CreateOption            : FromImage
DiskSizeGB              : 127
ManagedDisk             : Microsoft.Azure.Management.Compute.Models.ManagedDiskP
                          arameters

  6. Check the current status of encryption on the OS disk (and any data disks).

    Get-AzVmDiskEncryptionStatus  `
    -ResourceGroupName $rgName `
    -VMName $vmName

    Notice that the disks are currently unencrypted.

    OsVolumeEncrypted          : NotEncrypted
DataVolumesEncrypted       : NotEncrypted
OsVolumeEncryptionSettings :
ProgressMessage            : No Encryption extension or metadata found on the VM

Let's change that.

Encrypt the VM disks with Azure Disk Encryption

We need to protect this data, so let's encrypt the disks. Recall that there are several steps we need to perform:

  1. Create a key vault.

  2. Set up the key vault to support disk encryption.

  3. Inform Azure to encrypt the VM disks using the key stored in the key vault.

Tip

We're going to walk through the steps individually, but when you're doing this task in your own subscription, you can use a handy PowerShell script, which we've linked in this module's Summary section.

Create a key vault

To create an Azure Key Vault, we need to enable the service in our subscription. You're only required to enable the service one time.

Tip

Depending on your subscription, you might need to enable the Microsoft.KeyVault provider with the Register-AzResourceProvider cmdlet. This isn't necessary in the Azure sandbox subscription.

  1. Decide on a name for your new key vault. It must be unique and can be between 3 and 24 characters, composed of numbers, letters, and dashes. Try adding some random numbers to the end, replacing the following 1234:

    $keyVaultName = "mvmdsk-kv-1234"

  2. Create an Azure Key Vault with New-AzKeyVault:

    • Make sure you place it in the same resource group and location as your VM.
    • Enable the key vault for use with disk encryption.
    • Specify a unique key vault name.
    New-AzKeyVault -VaultName $keyVaultName `
    -Location $location `
    -ResourceGroupName $rgName `
    -EnabledForDiskEncryption

    You get a warning from this command about no users having access.

    WARNING: Access policy is not set. No user or app have access permission to use this vault. This warning can occur if the vault was created by a service principal. To set access policies, use Set-AzKeyVaultAccessPolicy.

    The warning is fine, because you're just using the vault to store the encryption keys for the VM, and users don't need to access this data.

Encrypt the disk

You're almost ready to encrypt the disks. Before you do, here's a warning about creating backups.

Important

If this was a production system, you'd need to perform a backup of the managed disks, either by using Azure Backup or by creating a snapshot. You can create snapshots in the Azure portal or through the command line. In PowerShell, you use the New-AzSnapshot cmdlet. Because this is a simple exercise and you're disposing of this data when you're done, you're going to skip this step.

  1. To hold the key vault information, define a variable:

    $keyVault = Get-AzKeyVault `
    -VaultName $keyVaultName `
    -ResourceGroupName $rgName

  2. Next, to encrypt the VM disks, run the Set-AzVmDiskEncryptionExtension cmdlet"

    • The VolumeType parameter allows you to specify which disks to encrypt: [All | OS | Data]. It defaults to All. You can only encrypt data disks for some distributions of Linux.
    • You can supply the SkipVmBackup flag for managed disks if there's no snapshot.
    Set-AzVmDiskEncryptionExtension `
    -ResourceGroupName $rgName `
    -VMName $vmName `
    -VolumeType All `
    -DiskEncryptionKeyVaultId $keyVault.ResourceId `
    -DiskEncryptionKeyVaultUrl $keyVault.VaultUri `
    -SkipVmBackup

  3. The cmdlet warns you that the VM must be taken offline, and that the task can take several minutes to complete. Go ahead and let it continue:

    Enable AzureDiskEncryption on the VM
This cmdlet prepares the VM and enables encryption which may reboot the machine and takes 10-15 minutes to
finish. Please save your work on the VM before confirming. Do you want to continue?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

  4. Once the cmdlet finishes running, check the encryption status again:

    Get-AzVmDiskEncryptionStatus  -ResourceGroupName $rgName -VMName $vmName

    The OS disk should now be encrypted. Any attached data disks that are visible to Windows are also encrypted.

    OsVolumeEncrypted          : Encrypted
DataVolumesEncrypted       : NoDiskFound
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : Provisioning succeeded

Note

New disks added after encryption won't be automatically encrypted. You can rerun the Set-AzVMDiskEncryptionExtension cmdlet to encrypt new disks. If you add disks to a VM that's already had disks encrypted, make sure to provide a new number in sequence. In addition, disks that aren't visible to the operating system will not be encrypted. The disk must be properly partitioned, formatted, and mounted for the BitLocker extension to see it.