The old way (ASM) of Encrypting Disks is out, the new way is here!!

Below is a simple and quick guide on how to easily encrypt a VM currently running in Azure utilizing PowerShell without the need to manually create anything (who does anything manually nowadays anyway?)

Here is my VM, as you can see it’s not enabled for Disk Encryption


The first part of this PowerShell script will create a Key Vault, Resource Group for that Key Vault, an Azure AD App and Secret

# Script Created by Craig Cloud IT Pro v.02 #
$kvName = 'CraigKeyVault'
$rgName = 'CraigRG'
$location = 'West Europe'
$aadClientSecret = 'CraigClientSecret'
$appDisplayName = 'CraigEncryptApp'
New-AzureRmResourceGroup -Name $rgName -Location $location
New-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName -Location $location
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName $rgName -EnabledForDiskEncryption
$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://homepageCraigEncryptApp' -IdentifierUris 'http://uriCraigEncryptApp' -Password $aadClientSecret
$appID = $aadApp.ApplicationId
$aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID
Set-AzureRmKeyVaultAccessPolicy -VaultName $kvName -ServicePrincipalName $appID -PermissionsToKeys all -PermissionsToSecrets all

As you can see my Key Vault has been deployed into it’s own RG in the Portal


If you open the Azure AD blade, and click “App registrations” you’ll see your AAD App

The second part of the PowerShell Script enables encryption on the VM, (my VM isn’t located in the same RG as the Key Vault)

# Script Created by Craig Cloud IT Pro v.02 #
$kvName = 'CraigKeyVault'
$rgName = 'CraigRG'
$aadClientSecret = 'CraigClientSecret'
$vmName = 'vmdv-01'
$VmRG = "RG-VMs"
$kv = Get-AzureRmKeyVault -VaultName $kvName -ResourceGroupName $rgName
$kvUri = $kv.VaultUri
$kvRID = $kv.ResourceId
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $VmRG -VMName $vmName -AadClientID $appID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $kvUri -DiskEncryptionKeyVaultId $kvRID 

Under the VM Extensions blade, you’ll see the Status “Transitioning”


After 10 or so minutes, you’ll see the Status change to “Provisioning Succeeded”


Your PowerShell Script will be completed


Check back on your “Disk” blade, and Encryption will be enabled


This solution is so much easier than the old ASM way