Recently at work I have been playing with Azure virtual machine scale sets (VMSS). On 03/04/2019 encryption of VMSS finally went GA! Using PowerShell and the Azure CLI you can now encrypt virtual machine scale sets.
Prerequisites
To be able to encrypt a VMSS you need to have a Key Vault and virtual machine scale set already created in the same region. You will also need know to know the name of the resource group both resources reside in.
You can read more about the prerequisites at https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites
The How to
Below I will go through the PowerShell and Azure CLI methods to encrypt a VMSS.
Using PowerShell
To encrypt a running virtual machine scale set, in a PowerShell window connect to Azure and select your subscription. You can use my subscription selector for this. https://pixelrobots.co.uk/2019/04/new-and-improved-powershell-azure-subscription-selector/
Then edit the below code to match your resource names and run it.
| $KVRGname = 'PixelRobots-KV-UKS'; | |
| $VMSSRGname = 'PixelRobots-VMSS-UKS'; | |
| $VmssName = 'pixelrobotsvmss'; | |
| $KeyVaultName = 'PixelRobots-VMSS-KV-UKS'; | |
| ## Do not edit below this line. | |
| $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; | |
| $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri; | |
| $KeyVaultResourceId = $KeyVault.ResourceId; | |
| Set-AzVmssDiskEncryptionExtension -ResourceGroupName $VMSSRGname -VMScaleSetName $VmssName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId; |
If you want to be more secure, and how does not, you can encrypt your VMSS using KEK to wrap the key. Use the following PowerShell code to do this. Just make sure you edit the code to match your resources.
| $KVRGname = 'PixelRobots-KV-UKS'; | |
| $VMSSRGname = 'PixelRobots-VMSS-UKS'; | |
| $VmssName = 'pixelrobotsvmss'; | |
| $KeyVaultName = 'PixelRobots-VMSS-KV-UKS'; | |
| $keyEncryptionKeyName = "VMSSEncryptionKey"; | |
| ## Do not edit below this line. | |
| $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; | |
| $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri; | |
| $KeyVaultResourceId = $KeyVault.ResourceId; | |
| $KeyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid; | |
| Set-AzVmssDiskEncryptionExtension -ResourceGroupName $VMSSRGname -VMScaleSetName $VmssName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId; |
To check the status of the encryption you can use the following command.
| get-AzVmssVMDiskEncryption -ResourceGroupName "PixelRobots-VMSS-UKS" -VMScaleSetName "pixelrobotsvmss" |
If you see NotEncrypted you will need to either wait for your scale set to upgrade to the latest model or perform a manual upgrade.
To disable the encryption use the following command.
| Disable-AzVmssDiskEncryption -ResourceGroupName "PixelRobots-VMSS-UKS" -VMScaleSetName "pixelrobotsvmss" |
Again, you will need to either wait for your scale set to upgrade to the latest model or perform a manual upgrade.
Azure CLI
To encrypt a running virtual machine scale set, in a PowerShell window connect to Azure and select your subscription using az login.
Then edit the bellow code to match your resources. For the key vault you will need to use the full resource path.
| az vmss encryption enable --resource-group "PixelRobots-VMSS-UKS" --name "pixelrobotsvmss" --disk-encryption-keyvault "/subscriptions/*****/resourceGroups/PixelRobots-KV-UKS/providers/Microsoft.KeyVault/vaults/PixelRobots-VMSS-KV-UKS" |
Again, if you want to be more secure, and how does not, you can encrypt your VMSS using KEK to wrap the key. Use the following code to do this. Just make sure you edit the code to match your resources.
| az vmss encryption enable --resource-group "PixelRobots-VMSS-UKS" --name "pixelrobotsvmss" --disk-encryption-keyvault "/subscriptions/****/resourceGroups/PixelRobots-KV-UKS/providers/Microsoft.KeyVault/vaults/PixelRobots-VMSS-KV-UKS" --key-encryption-key "VMSSEncryptionKey" --key-encryption-keyvault "/subscriptions/****/resourceGroups/PixelRobots-KV-UKS/providers/Microsoft.KeyVault/vaults/PixelRobots-VMSS-KV-UKS" |
To check the status of the encryption you can use the following command.
If you see “displayStatus”: “Disk is not encrypted”, then you will either have to wait for the automatic upgrade, if set, or manually upgrade to the latest model. To do this use the command
Then if you check again you will see that the VMSS is encrypted.
To remove the encryption use the following command.
| az vmss encryption disable --resource-group "PixelRobots-VMSS-UKS" --name "pixelrobotsvmss" |
And that’s it you have now encrypted a virtual machine scale set.
If you would like to do this using ARM templates you can have a look at this quick start template. https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-running-vmss-windows
I know I am happy this feature has become GA and i hope you are too. If you have any questions or issues please reach out.
0 Comments