In this Article, I am going to walk through how to encrypt your Azure Virtual Machines including ones with managed disks. By following this guide you will be able to stop the High Severity Alerts from showing in Azure Security Center and be able to use Azure Backup to backup your VMs.

Configure Encryption Prerequisites

For us to be able to encrypt VM’s we have to meet a few prerequisites first. Luckily Microsoft provides us with a script that will create all the necessary Azure resources. This will include a Key Vault if you do not specify an existing one. One thing to note is that the Key Vault must be in the same region as the VM’s you want to be encrypted. The script will also create an Azure Active Directory (AAD) Application. This application will be used to write the secrets to the Key Vault. So let’s start preparing Azure for Encryption.

Before you can go ahead with the below you will need to have the Azure RM PowerShell module installed. You can go here to find out how.

Download the script

Open PowerShell with Elevated permissions and navigate to a location you would like to store the script. In my case, I will be using c:\Scripts

Now we can use the following commands to download the PowerShell script from Microsoft. It’s hosted on GitHub.

invoke-webrequest https://raw.githubusercontent.com/Azure/azure-powershell/master/src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/Scripts/AzureDiskEncryptionPreRequisiteSetup.ps1 -Outfile AzureDiskEncryptionPreRequisiteSetup.ps1
view raw EncryptAzureVM hosted with ❤ by GitHub

Run the Script

Before we run the script we need to find out your Azure Subscription ID. We will need to login to the Azure Portal using the following command.

Login-AzureRmAccount
view raw EncryptAzureVM hosted with ❤ by GitHub

Enter your Azure admin credentials.

You can use the following command to get a list of your subscriptions and their ID’s

Get-AzureRmSubscription
view raw EncryptAzureVM hosted with ❤ by GitHub

Take a note of your subscription ID, you will need it for the next command. In the command below. Change the -SubscriptionID, -ResourceGroupName, -KeyVaultName, -location, and -AADAppName to your values.

./AzureDiskEncryptionPreRequisiteSetup.ps1 -SubscriptionID "e03cfa2a-c5a9-4f4e-afbd-462c181f761e" -ResourceGroupName "PixelEncrypt" -KeyVaultName "PixelEncrypt" -location "UK South" -AADAppName "PixelEncrypt"
view raw EncryptAzureVM hosted with ❤ by GitHub

You will see in the below image. That you need to take a note of the aadClienID, aadClientSecret, DiskEncryptionKeyValueUrl, and keyVaultResourceId. Save the information somewhere safe and then press enter.

Create a Key Encryption Key

Navigate to the Azure Portal

Click All Services and find Key Vaults

Click on your Key Vault

Click Keys and then click Generate/Import

Enter a Name for your key and click Create

Click on your newly created key, then click on the version that is enabled and make a copy of the Key Identifier

That’s all of the prerequisites sorted. Time to actually encrypt a Virtual Machine.

Encrypt An Azure Virtual Machine

If you are following on from above you do not have to connect back up to Azure. If you need to connect up just follow the steps above under the download script section. Just stop before you download the script.

Under your VM and Disk section in the Azure portal, you will see that we have no disk Encryption.

Let’s change that. In the Elevated PowerShell window copy the bellow script. Change the parameters to your values from above.

$resourceGroupName = "PixelRobotsLab"
$vmName = "PixelTest"
$aadClientID = "54d64d1f-9dbf-4be3-92bc-30efbbe4f18f"
$aadClientSecret = "af031e75-c020-4ecd-89e6-74be50030bb7"
$diskEncryptionKeyVaultUrl = "https://PixelEncrypt.vault.azure.net"
$keyVaultResourceId = "/subscriptions/e03cfa2a-c5a9-4f4e-afbd-462c181f761e/resourceGroups/PixelEncrypt/providers/Microsoft.KeyVault/vaults/PixelEncrypt"
$KEKUrl = "https://pixelencrypt.vault.azure.net/keys/VMEncrypt/9769d3510bbb45a9a0f2843b9a5eaaff"
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $KEKUrl -VolumeType All
view raw EncryptAzureVM hosted with ❤ by GitHub

This will take some time and your VM will reboot. So make sure you do it in a maintenance window. Once the encryption has finished. You can navigate back to the disk section under your VM in the Azure Portal and you will see that the disk is encrypted.

Set permissions for the Backup Management Service

In the Azure Portal Navigate to Key Vault and then click you Key Vault. Locate Access Policies and click it.

Click the Add new button

Under Configure from template select Azure Backup and click OK

Now click the Save button.

You should now be able to backup the encrypted VM using the KEK (Key Encryption Key).

Decrypt Azure Virtual Machine

If you need to remove the disk encryption you can use the following command. Just make sure you change it to match your details.

Disable-AzureRmVMDiskEncryption -ResourceGroupName "PixelRobotsLab" -VMName "PixelTest" -VolumeType All
view raw EncryptAzureVM hosted with ❤ by GitHub

That’s it! You have now enabled Encryption using the Key Encryption Service, encrypted a Virtual machine, and given access to the backup service on your KEK. I hope you found this article helpful. If you have any questions please leave a comment below.


Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree

This website stores some user agent data. These data are used to provide a more personalized experience and to track your whereabouts around our website in compliance with the European General Data Protection Regulation. If you decide to opt-out of any future tracking, a cookie will be set up in your browser to remember this choice for one year. I Agree, Deny
646