What is Azure Disk Encryption
The intention of this post is to throw some light on Azure Disk Encryption and it’s features.
So Let’s talk a little about disk encryption.
Why Azure Disk Encryption ?
Enterprises need to make sure that they meet the security standards and comply to those requirements. Microsoft Azure Disk encryption makes sure that you conform to and ensure that all these safety and security measures are taken care of while maintaining the sanctity of the data.
Azure Disk Encryption is a service in Azure that allows you to encrypt your Windows and Linux IaaS virtual machines. BitLocker for windows and DM-Crypt for Linux VM’s are the features used, both of which are existing industry standards, to encrypt the OS disk volumes and Data volumes in your virtual machines.
The scenarios which are supported by Azure disk encryption are
- Encryption of already running VM’s in your azure subscription.
- Encryption of the virtual hard drives of your on-premise VM’s.
Today, In this post we are going to discuss encryption of an existing Windows IaaS Virtual Machine.
There are two methods by which we can encrypt the Virtual Machines.
1.) Using the ARM templates
2.) Using PowerShell 1.0.2 or above
Using the ARM templates is a pretty easy method. Just deploy the template from the git repo and you are done.
But, before we actually start encrypting our Virtual Machines, we should create an application in Azure AD within the same subscription as that of the virtual machine we are intending to encrypt.
After the application is created, an Azure Key Vault is also necessary to store and retrieve all the secrets associated with the application and the bit locket encryption keys. Therefore we also need to create an Azure Key Vault.
Once we create the application in Azure AD, we have a client ID and a Client Secret. This is similar to a login ID and password if we were to use an already existing application for example twitter. The Azure Disk Encryption extension will need to use these credentials to retrieve secrets from the Key Vault to begin encryption on the VM. The client ID and Client secret can be obtained while creating an application in the portal(only possible through management portal right now) or through the PowerShell. After we create the application, we can obtain the client ID and client secret.
Once, all these are ready we start encryption using the ARM template or the PowerShell.
An ARM template can be deployed to the ARM portal, where we select the name of the virtual machine we want to encrypt and supply the client ID and client secret that we obtained while creating an application. The result is we have a virtual machine with encrypted OS and volume disks. The volume disk parameter can be changed to ‘OS’ or ‘Disk’ or ‘All’ depending on which volume disk we want to encrypt.
The PowerShell cmdlets also allow us to encrypt the volumes through the cmdlet
Set-AzureRmVMDiskEncryptionExtension with the parameters -ResourceGroupName <resourcegrp name>VMName <VM name> AadClientID <client ID> AadClientSecret <client secret> -DiskEncryptionKeyVaultUrl <url of the keyvault> -DiskEncryptionKeyVaultId <resource ID of the keyvault>.
After the encryption you can rdp into the Virtual Machine and voila, all your disk volumes are encrypted.