Encrypting Azure VM’s in the ARM portal with PowerShell


The old way (ASM) of Encrypting Disks is out, the new way is here!!

Below is a simple and quick guide on how to easily encrypt a VM currently running in Azure utilizing PowerShell without the need to manually create anything (who does anything manually nowadays anyway?)

Here is my VM, as you can see it’s not enabled for Disk Encryption


The first part of this PowerShell script will create a Key Vault, Resource Group for that Key Vault, an Azure AD App and Secret

# Script Created by Craig Cloud IT Pro v.02 #
$kvName = 'CraigKeyVault'
$rgName = 'CraigRG'
$location = 'West Europe'
$aadClientSecret = 'CraigClientSecret'
$appDisplayName = 'CraigEncryptApp'
New-AzureRmResourceGroup -Name $rgName -Location $location
New-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName -Location $location
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName $rgName -EnabledForDiskEncryption
$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://homepageCraigEncryptApp' -IdentifierUris 'http://uriCraigEncryptApp' -Password $aadClientSecret
$appID = $aadApp.ApplicationId
$aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ServicePrincipalName $appID -PermissionsToKeys all -PermissionsToSecrets all

As you can see my Key Vault has been deployed into it’s own RG in the Portal


If you open the Azure AD blade, and click “App registrations” you’ll see your AAD App

The second part of the PowerShell Script enables encryption on the VM, (my VM isn’t located in the same RG as the Key Vault)

# Script Created by Craig Cloud IT Pro v.02 #
$kvName = 'CraigKeyVault'
$rgName = 'CraigRG'
$aadClientSecret = 'CraigClientSecret'
$vmName = 'vmdv-01'
$VmRG = "RG-VMs"
$kv = Get-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName
$kvUri = $kv.VaultUri
$kvRID = $kv.ResourceId
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $VmRG -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID 

Under the VM Extensions blade, you’ll see the Status “Transitioning”


After 10 or so minutes, you’ll see the Status change to “Provisioning Succeeded”


Your PowerShell Script will be completed


Check back on your “Disk” blade, and Encryption will be enabled


This solution is so much easier than the old ASM way


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s