image_5e1a24e0-1

The old way (ASM) of Encrypting Disks is out, the new way is here!!

Below is a simple and quick guide on how to easily encrypt a VM currently running in Azure utilizing PowerShell without the need to manually create anything (who does anything manually nowadays anyway?)

Here is my VM, as you can see it’s not enabled for Disk Encryption

vmdv

The first part of this PowerShell script will create a Key Vault, Resource Group for that Key Vault, an Azure AD App and Secret

# Script Created by Craig Cloud IT Pro v.02 #
Login-AzureRmAccount
$kvName = 'CraigKeyVault'
$rgName = 'CraigRG'
$location = 'West Europe'
$aadClientSecret = 'CraigClientSecret'
$appDisplayName = 'CraigEncryptApp'
 
New-AzureRmResourceGroup -Name $rgName -Location $location
New-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName -Location $location
 
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName $rgName -EnabledForDiskEncryption
 
$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://homepageCraigEncryptApp' -IdentifierUris 'http://uriCraigEncryptApp' -Password $aadClientSecret
 
$appID = $aadApp.ApplicationId
 
$aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID
 
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ServicePrincipalName $appID -PermissionsToKeys all -PermissionsToSecrets all
 

As you can see my Key Vault has been deployed into it’s own RG in the Portal

craigrgkev

If you open the Azure AD blade, and click “App registrations” you’ll see your AAD App
appreg

The second part of the PowerShell Script enables encryption on the VM, (my VM isn’t located in the same RG as the Key Vault)

# Script Created by Craig Cloud IT Pro v.02 #
$kvName = 'CraigKeyVault'
$rgName = 'CraigRG'
$aadClientSecret = 'CraigClientSecret'
$vmName = 'vmdv-01'
$VmRG = "RG-VMs"
 
$kv = Get-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName
$kvUri = $kv.VaultUri
$kvRID = $kv.ResourceId
 
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $VmRG -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID 
 

Under the VM Extensions blade, you’ll see the Status “Transitioning”

transition

After 10 or so minutes, you’ll see the Status change to “Provisioning Succeeded”

provisonsucc

Your PowerShell Script will be completed

psscript

Check back on your “Disk” blade, and Encryption will be enabled

enabledencry

This solution is so much easier than the old ASM way

Advertisements