Reading Time: 3 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Recently at work I have been playing with Azure virtual machine scale sets (VMSS). On 03/04/2019 encryption of VMSS finally went GA! Using PowerShell and the Azure CLI you can now encrypt virtual machine scale sets.

Prerequisites

To be able to encrypt a VMSS you need to have a Key Vault and virtual machine scale set already created in the same region. You will also need know to know the name of the resource group both resources reside in.

You can read more about the prerequisites at https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites

The How to

Below I will go through the PowerShell and Azure CLI methods to encrypt a VMSS.

Using PowerShell

To encrypt a running virtual machine scale set, in a PowerShell window connect to Azure and select your subscription. You can use my subscription selector for this. https://pixelrobots.co.uk/2019/04/new-and-improved-powershell-azure-subscription-selector/

Then edit the below code to match your resource names and run it.

$KVRGname = 'PixelRobots-KV-UKS';
$VMSSRGname = 'PixelRobots-VMSS-UKS';
$VmssName = 'pixelrobotsvmss';
$KeyVaultName = 'PixelRobots-VMSS-KV-UKS';
## Do not edit below this line.
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVmssDiskEncryptionExtension -ResourceGroupName $VMSSRGname -VMScaleSetName $VmssName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;
view raw encryptvmss.ps1 hosted with ❤ by GitHub
PowerShell encrypt without KEK

If you want to be more secure, and how does not, you can encrypt your VMSS using KEK to wrap the key. Use the following PowerShell code to do this. Just make sure you edit the code to match your resources.

$KVRGname = 'PixelRobots-KV-UKS';
$VMSSRGname = 'PixelRobots-VMSS-UKS';
$VmssName = 'pixelrobotsvmss';
$KeyVaultName = 'PixelRobots-VMSS-KV-UKS';
$keyEncryptionKeyName = "VMSSEncryptionKey";
## Do not edit below this line.
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname;
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
$KeyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;
Set-AzVmssDiskEncryptionExtension -ResourceGroupName $VMSSRGname -VMScaleSetName $VmssName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;
view raw encryptvmss.ps1 hosted with ❤ by GitHub
PowerShell encrypt with KEK

To check the status of the encryption you can use the following command.

get-AzVmssVMDiskEncryption -ResourceGroupName "PixelRobots-VMSS-UKS" -VMScaleSetName "pixelrobotsvmss"
view raw encryptvmss.ps1 hosted with ❤ by GitHub

If you see NotEncrypted you will need to either wait for your scale set to upgrade to the latest model or perform a manual upgrade.

PowerShell check encryption state

To disable the encryption use the following command.

Disable-AzVmssDiskEncryption -ResourceGroupName "PixelRobots-VMSS-UKS" -VMScaleSetName "pixelrobotsvmss"
view raw encryptvmss.ps1 hosted with ❤ by GitHub
PowerShell disable encryption

Again,  you will need to either wait for your scale set to upgrade to the latest model or perform a manual upgrade.

Azure CLI

To encrypt a running virtual machine scale set, in a PowerShell window connect to Azure and select your subscription using az login.

Then edit the bellow code to match your resources. For the key vault you will need to use the full resource path.

az vmss encryption enable --resource-group "PixelRobots-VMSS-UKS" --name "pixelrobotsvmss" --disk-encryption-keyvault "/subscriptions/*****/resourceGroups/PixelRobots-KV-UKS/providers/Microsoft.KeyVault/vaults/PixelRobots-VMSS-KV-UKS"
view raw encryptvmss.ps1 hosted with ❤ by GitHub
Azure CLI encrypt without KEK

Again, if you want to be more secure, and how does not, you can encrypt your VMSS using KEK to wrap the key. Use the following code to do this. Just make sure you edit the code to match your resources.

az vmss encryption enable --resource-group "PixelRobots-VMSS-UKS" --name "pixelrobotsvmss" --disk-encryption-keyvault "/subscriptions/****/resourceGroups/PixelRobots-KV-UKS/providers/Microsoft.KeyVault/vaults/PixelRobots-VMSS-KV-UKS" --key-encryption-key "VMSSEncryptionKey" --key-encryption-keyvault "/subscriptions/****/resourceGroups/PixelRobots-KV-UKS/providers/Microsoft.KeyVault/vaults/PixelRobots-VMSS-KV-UKS"
view raw encryptvmss.ps1 hosted with ❤ by GitHub
Azure CLI encrypt with KEK

To check the status of the encryption you can use the following command.

If you see  “displayStatus”: “Disk is not encrypted”, then you will either have to wait for the automatic upgrade, if set, or manually upgrade to the latest model. To do this use the command

Then if you check again you will see that the VMSS is encrypted.

Azure CLI check encryption status

To remove the encryption use the following command.

az vmss encryption disable --resource-group "PixelRobots-VMSS-UKS" --name "pixelrobotsvmss"
view raw encryptvmss.ps1 hosted with ❤ by GitHub
Azure CLI disable encryption

And that’s it you have now encrypted a virtual machine scale set.

If you would like to do this using ARM templates you can have a look at this quick start template. https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-running-vmss-windows

I know I am happy this feature has become GA and i hope you are too. If you have any questions or issues please reach out.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree