| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Disk Encryption for Windows and Linux IaaS VMs| Microsoft Docs |
The paper provides an overview of Microsoft Azure Disk Encryption for Windows and Linux IaaS VMs. |
security |
na |
YuriDio |
swadhwa |
TomSh |
d3fac8bb-4829-405e-8701-fa7229fb1725 |
security |
na |
article |
na |
na |
09/26/2016 |
kakhan |
Microsoft Azure is strongly committed to ensuring your data privacy, data sovereignty and enables you to control your Azure hosted data through a range of advanced technologies to encrypt, control and manage encryption keys, control & audit access of data. This provides Azure customers the flexibility to choose the solution that best meets their business needs. In this paper, we will introduce you to a new technology solution “Azure Disk Encryption for Windows and Linux IaaS VM’s” to help protect and safeguard your data to meet your organizational security and compliance commitments. The paper provides detailed guidance on how to use the Azure disk encryption features including the supported scenarios and the user experiences.
NOTE: Certain recommendations contained herein may result in increased data, network, or compute resource usage resulting in additional license or subscription costs.
Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.
Azure disk encryption for Windows and Linux IaaS VMs is now in General Availability in all Azure public regions for Standard VMs and VMs with premium storage.
The Azure Disk Encryption solution supports the following customer scenarios:
- Enable encryption on new IaaS VMs created from pre-encrypted VHD and encryption keys
- Enable encryption on new IaaS VMs created from the Azure Gallery images
- Enable encryption on existing IaaS VMs running in Azure
- Disable encryption on Windows IaaS VMs
- Disable encryption on data drives for Linux IaaS VMs
The solution supports the following for IaaS VMs when enabled in Microsoft Azure:
- Integration with Azure Key Vault
- Standard tier VMs - A, D, DS, G, GS etc series IaaS VMs
- Enable encryption on Windows and Linux IaaS VMs
- Disable encryption on OS and data drives for Windows IaaS VMs
- Disable encryption on data drives for Linux IaaS VMs
- Enable encryption on IaaS VMs running Windows Client OS
- Enable encryption on volumes with mount paths
- Enable encryption on Linux VMs configured with disk striping (RAID) using mdadm.
- Enable encryption on Linux VMs using LVM for data disks.
- Enable encryption on Windows VMs configured with Storage Spaces
- All Azure public regions are supported
The solution does not support the following scenarios, features and technology in the release:
- Basic tier IaaS VMs
- Disable encryption on OS drive for Linux IaaS VMs
- IaaS VMs created using classic VM creation method
- Integration with your on-premises Key Management Service
- Azure Files (Azure file share), Network file system (NFS), Dynamic volumes, Windows VMs configured with Software-based RAID systems
When you enable and deploy Azure disk encryption for Azure IaaS VMs, the following capabilities are enabled, depending on the configuration provided:
- Encryption of OS volume to protect boot volume at rest in customer storage
- Encryption of Data volume/s to protect the data volumes at rest in customer storage
- Disable encryption on OS and data drives for Windows IaaS VMs
- Disable encryption on data drives for Linux IaaS VMs
- Safeguarding the encryption keys and secrets in customer Azure key vault subscription
- Reporting encryption status of the encrypted IaaS VM
- Removal of disk encryption configuration settings from the IaaS virtual machine
The Azure disk encryption for IaaS VMS for Windows and Linux solution includes the disk encryption extension for Windows, disk encryption extension for Linux, disk encryption PowerShell cmdlets, disk encryption CLI cmdlets and disk encryption Azure Resource Manager templates. The Azure disk encryption solution is supported on IaaS VMs running Windows or Linux OS. For more details on the supported Operating Systems, see prerequisites section below.
NOTE: There is no additional charge for encrypting VM disks with Azure Disk Encryption.
The Azure Disk Encryption Management solution enables the following business needs in the cloud:
- IaaS VM’s are secured at rest using industry standard encryption technology to address organizational security and compliance requirements.
- IaaS VM’s boot under customer controlled keys and policies, and they can audit their usage in Key Vault.
The high level steps required to enable disk encryption for Windows and Linux VM’s are:
-
Customer chooses a encryption scenario from the above encryption scenarios
-
Customer opts into enabling disk encryption via the Azure disk encryption Resource Manager template or PS cmdlets or CLI command and specifies the encryption configuration
- For the customer encrypted VHD scenario, the customer uploads the encrypted VHD to their storage account and encryption key material to their key vault and provide the encryption configuration to enable encryption on a new IaaS VM
- For the new VM’s created from the Azure gallery and existing VM’s already running in Azure, customer provide the encryption configuration to enable encryption on the IaaS VM
-
Customer grants access to Azure platform to read the encryption key material (BitLocker Encryption Keys for Windows systems and Passphrase for Linux) from their key vault to enable encryption on the IaaS VM
-
Customer provide Azure AD application identity to write the encryption key material to their key vault to enable encryption on the IaaS VM for scenarios mentioned in #2 above
-
Azure updates the VM service model with encryption and key vault configuration and provisions encrypted VM for the customer
The high level steps required to disable disk encryption for IaaS VM’s are:
- Customer chooses to disable encryption (decryption) on a running IaaS VM in Azure via the Azure disk encryption Resource Manager template or PS cmdlets and specifies the decryption configuration.
- The disable encryption step disables encryption of the OS or data volume or both on the running Windows IaaS VM. However disabling OS disk encryption for Linux is not supported as mentioned in the documentation above. The disable step is allowed only for data drives on Linux VMs.
- Azure updates the VM service model and the IaaS VM is marked decrypted. The contents of the VM are not encrypted at rest anymore.
- The disable encryption operation does not delete the customer key vault and the encryption key material, - BitLocker Encryption Keys for Windows or Passphrase for Linux.
The following are prerequisites to enable Azure Disk Encryption on Azure IaaS VMs for the supported scenarios called out in the overview section
- User must have a valid active Azure subscription to create resources in Azure in the regions supported
- Azure Disk Encryption is supported on the following Windows server SKU’s - Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
- Azure Disk Encryption is supported on the following Windows client SKU’s - Windows 8 Client and Windows 10 Client.
Note: For Windows Server 2008 R2, .Net framework 4.5 MUST be installed before enabling encryption in Azure. You can install it from Windows update by installing the optional update "Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based Systems (KB2901983)"
- Azure Disk Encryption is supported on the following Linux server SKUs - Ubuntu, CentOS, SUSE and SUSE Linux Enterprise Server (SLES) and Red Hat Enterprise Linux.
Note: Linux OS disk encryption is currently supported on the following Linux distributions - RHEL 7.2, CentOS 7.2, Ubuntu 16.04
- All resources (Ex: Key Vault, Storage account, VM, etc.,) must belong to the same Azure region and subscription.
Note: Azure disk encryption requires that the Key Vault and the VMs reside in the same Azure region. Configuring them in separate region will cause failure in enabling Azure disk encryption feature.
- To set up and configure Azure Key Vault for Azure disk encryption usage, see section Setting and Configuring Azure Key Vault for Azure disk encryption usage in the Prerequisites section of this article.
- To set up and configure Azure AD application in Azure Active directory for Azure disk encryption usage, see section Setup the Azure AD Application in Azure Active Directory in the Prerequisites section of this article.
- To set up and configure Key Vault Access policy for the Azure AD Application, see section Setting Key Vault Access policy for the Azure AD Application in the Prerequisites section of this article.
- To prepare a pre-encrypted Windows VHD, see section Preparing a pre-encrypted Windows VHD in the Appendix of this article.
- To prepare a pre-encrypted Linux VHD, see section Preparing a pre-encrypted Linux VHD in the Appendix of this article.
- Azure platform needs access to the encryption keys or secrets in customer Azure Key Vault in order to make them available to the virtual machine to boot and decrypt the virtual machine OS volume. To grant permissions to Azure platform to access the customer Key Vault, enabledForDiskEncryption property must be set on the Key Vault for this requirement. Refer to section Setting and Configuring Azure Key Vault for Azure disk encryption usage in the Appendix of this article for more details.
- The Key Vault secret and key encryption key (KEK) URLs must be versioned. Azure enforces this restriction of versioning. See below examples for valid secret and KEK URL:
- Example of valid secret URL: https://contosovault.vault.azure.net/secrets/BitLockerEncryptionSecretWithKek/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Example of valid KRK KEK: https://contosovault.vault.azure.net/keys/diskencryptionkek/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Azure disk encryption does not support port numbers being specified as part of Key Vault secret and KEK URLs. See below examples for supported Key Vault URL:
- Unaccepted Key Vault URL
https://contosovault.vault.azure.net:443/secrets/contososecret/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Accepted Key Vault URL: https://contosovault.vault.azure.net/secrets/contososecret/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- Unaccepted Key Vault URL
https://contosovault.vault.azure.net:443/secrets/contososecret/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- To enable Azure Disk Encryption feature, the IaaS VMs must meet the following network endpoint configuration requirements:
- The IaaS VM must be able to connect to Azure Active Directory endpoint [Login.windows.net] to get a token to connect to Azure key vault
- The IaaS VM must be able to connect to Azure Key Vault endpoint to write the encryptions keys to customer key vault
- The IaaS VM must be able to connect to Azure storage endpoint which hosts the Azure extension repository and Azure storage account which hosts the VHD files
Note: If your security policy limits access from Azure VMs to Internet, you can resolve the above URI to which you need connectivity and configure a specific rule to allow outbound connectivity to the IPs.
- Use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell release
**Note:**Azure Disk Encryption is not supported on Azure PowerShell SDK version 1.1.0. If you are receiving an error related to using Azure PowerShell 1.1.0, please see the article Azure Disk Encryption Error Related to Azure PowerShell 1.1.0.
- To run any of the Azure CLI commands and associate it with your Azure subscription, you must first install Azure CLI version:
- To install Azure CLI and associate it with your Azure subscription, see How to install and configure Azure CLI
- Using the Azure CLI for Mac, Linux, and Windows with Azure Resource Manager, see here
- Azure disk encryption solution use BitLocker external key protector for Windows IaaS VMs. If your VMs are domain joined, do not push any group policies that enforce TPM protectors. Refer to this article for details on the group policy for “Allow BitLocker without a compatible TPM”.
- The Azure disk encryption prerequisite PowerShell script to create Azure AD application, create new key vault or setup existing key vault and enable encryption is located here.
When encryption needs to be enabled on a running VM in Azure, Azure disk encryption generates and writes the encryption keys to your Key Vault. Managing encryption keys in Key Vault needs Azure AD authentication.
For this purpose, an Azure AD application should be created. Detailed steps for registering an application can be found here, in the section “Get an Identity for the Application” section in this blog post. This post also contains a number of helpful examples on provisioning and configuring your Key Vault. For authentication purposes, either client secret based authentication or client certificate-based Azure AD authentication can be used.
The sections that follow have the necessary steps to configure a client secret based authentication for Azure AD.
Use the PowerShell cmdlet below to create a new Azure AD app:
$aadClientSecret = “yourSecret”
$azureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -Password $aadClientSecret
$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId
Note: $azureAdApplication.ApplicationId is the Azure AD ClientID and $aadClientSecret is the client Secret that you should use later to enable ADE.You should safeguard the Azure AD client secret appropriately.
Azure AD Client ID and secret can also be provisioned using the Azure Classic deployment model Portal at https://manage.windowsazure.com, follow the steps below to perform this task:
1.Click the Active Directory tab as shown in Figure below:
2.Click Add Application and type the application name as shown below:
3.Click the arrow button and configure the app's properties as shown below:
4.Click the check mark in the lower left corner to finish. The app's configuration page appears. Notice the Azure AD Client ID is located in the bottom of the page as shown in figure below.
5.Save the Azure AD client secret by click in the Save button. Click the save button and note the secret from the keys text box, this is the Azure AD client secret. You should safeguard the Azure AD client secret appropriately.
Note: this flow above is not supported in the Portal.
In order to execute the commands below you need the Azure AD PowerShell module, which can be obtained from here.
Note: the commands below must be executed from a new PowerShell window. Do NOT use Azure PowerShell or the Azure Resource Manager window to execute these commands. The reason for this recommendation is because these cmdlets are in the MSOnline module or Azure AD PowerShell.
$clientSecret = ‘<yourAadClientSecret>’
$aadClientID = '<Client ID of your AAD app>'
connect-msolservice
New-MsolServicePrincipalCredential -AppPrincipalId $aadClientID -Type password -Value $clientSecret
Note
AAD certificate based authentication is currently not supported on Linux VMs.
The sections that follow have the necessary steps to configure a certificate based authentication for Azure AD.
Execute the PowerShell cmdlets below to create a new Azure AD app:
Note: Replace yourpassword string below with your secure password and safeguard the password.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\certificates\examplecert.pfx", "yourpassword")
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$azureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $keyValue -KeyType AsymmetricX509Cert
$servicePrincipal = New-AzureRmADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId
Once you finish this step, upload a .pfx file to Key Vault and enable the access policy needed to deploy that certificate to a VM.
If you are configuring certificate based authentication for an existing app, use the PowerShell cmdlets below. Make sure to execute them from a new PowerShell window.
$certLocalPath = 'C:\certs\myaadapp.cer'
$aadClientID = '<Client ID of your AAD app>'
connect-msolservice
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import($certLocalPath)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $aadClientID -Type asymmetric -Value $credValue -Usage verify
Once you finish this step, upload a .pfx file to Key Vault and enable the access policy needed to deploy that certificate to a VM.
You can read this blog post for detail explanation on how this process works. However, the PowerShell cmdlets below are all you need for this task. Make sure to execute them from Azure PowerShell console:
Note: Replace yourpassword string below with your secure password and safeguard the password.
$certLocalPath = 'C:\certs\myaadapp.pfx'
$certPassword = "yourpassword"
$resourceGroupName = ‘yourResourceGroup’
$keyVaultName = ‘yourKeyVaultName’
$keyVaultSecretName = ‘yourAadCertSecretName’
$fileContentBytes = get-content $certLocalPath -Encoding Byte
$fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$jsonObject = @"
{
"data": "$filecontentencoded",
"dataType" :"pfx",
"password": "$certPassword"
}
"@
$jsonObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$jsonEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
Switch-AzureMode -Name AzureResourceManager
$secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName -SecretValue $secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName –EnabledForDeployment
After finishing uploading the PFX, use the steps below to deploy a certificate in Key Vault to an existing VM:
$resourceGroupName = ‘yourResourceGroup’
$keyVaultName = ‘yourKeyVaultName’
$keyVaultSecretName = ‘yourAadCertSecretName’
$vmName = ‘yourVMName’
$certUrl = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretName).Id
$sourceVaultId = (Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName).ResourceId
$vm = Get-AzureRmVM -ResourceGroupName $resourceGroupName -Name $vmName
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $sourceVaultId -CertificateStore "My" -CertificateUrl $certUrl
Update-AzureRmVM -VM $vm -ResourceGroupName $resourceGroupName
Your Azure AD application needs rights to access the keys or secrets in the vault. Use the Set-AzureKeyVaultAccessPolicy cmdlet to grant permissions to the application, using the Client Id (which was generated when the application was registered) as the –ServicePrincipalName parameter value. You can read this blog post for some examples on that. Below you also have an example of how to perform this task via PowerShell:
$keyVaultName = '<yourKeyVaultName>'
$aadClientID = '<yourAadAppClientID>'
$rgname = '<yourResourceGroup>'
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $rgname
NOTE: Azure disk encryption requires you to configure the following access policies to your AAD Client Application - 'WrapKey' and 'Set' permissions
Use the terminology table as reference to understand some of the common terms used by this technology:
| Terminology | Definition |
|---|---|
| Azure AD | Azure AD is Azure Active Directory. Azure AD account is a pre-requisite for authenticating, storing, and retrieving secrets from the Key Vault. |
| Azure Key Vault [AKV] | Azure Key Vault is a cryptographic key management service based on FIPS-validated Hardware Security Modules to safeguard your cryptographic keys and sensitive secrets securely.,Refer to Key Vault documentation for more details. |
| ARM | Azure Resource Manager |
| BitLocker | BitLocker is an industry recognized Windows volume encryption technology used to enable disk encryption on Windows IaaS VMs |
| BEK | BitLocker Encryption Keys are used to encrypt the OS boot volume and data volumes. The BitLocker keys are safeguard in customer’s Azure key vault as secrets. |
| CLI | Azure Command-Line Interface |
| DM-Crypt | DM-Crypt is the Linux-based transparent disk encryption subsystem used to enable disk encryption on Linux IaaS VMs |
| KEK | Key Encryption Key is the asymmetric key (RSA 2048) used to protect or wrap the secret if desired. You can provide an HSM-protected key or software-protected key. For more details, refer to Azure Key Vault documentation for more details |
| PS cmdlets | Azure PowerShell cmdlets |
Azure disk encryption safeguards the disk encryption keys and secrets in your Azure Key Vault. Follow the steps on each one of the sections below to setup Key Vault for Azure disk encryption usage.
To create a new Key Vault, use one of the options listed below:
- Use the "101-Create-KeyVault" Resource Manager template located here
- Use the Azure PowerShell Key Vault cmdlets.
- Use the Azure resource manager portal.
Note: If you already have a Key Vault setup for your subscription, please proceed to next section.
If you wish to use a Key Encryption Key (KEK) for an additional layer of security to wrap the BitLocker encryption keys, you should add a KEK to your Key Vault for use in the provisioning process. Use the Add-AzureKeyVaultKey cmdlet to create a new Key Encryption Key in Key Vault. You can also import KEK from your on-premises key management HSM. For more details, see Key Vault documentation.
Add-AzureKeyVaultKey [-VaultName] <string> [-Name] <string> -Destination <string> {HSM | Software}
The KEK can be added from Azure Resource Manager portal as well using Azure Key Vault UX.
The Azure platform needs access to the encryption keys or secrets in your Azure Key Vault in order to make them available to the VM to boot and decrypt the volumes. To grant permissions to the Azure platform so that it can access the Key Vault, the enabledForDiskEncryption property must be set on the Key Vault. You can set the enabledForDiskEncryption property on your key vault using the key vault PS cmdlet:
Set-AzureRmKeyVaultAccessPolicy -VaultName <yourVaultName> -ResourceGroupName <yourResourceGroup> -EnabledForDiskEncryption
You can also set the enabledForDiskEncryption property by visiting https://resources.azure.com. You must set the enabledForDiskEncryption property on your Key Vault as mentioned before. Otherwise the deployment will fail.
You can setup access policies for your AAD application from the Key Vault UX:
Make sure that Key Vault is enabled for Disk Encryption in "Advanced Access Policies":
There are many scenarios that you can enable disk encryption and the steps may vary according to the scenario. The sections that follow will cover in more details these scenarios.
Disk encryption can be enabled on new IaaS Windows VM from Azure gallery in Azure using the Resource Manager template published here. Click on “Deploy to Azure” button on the Azure quickstart template, input encryption configuration in the parameters blade and click OK. Select the subscription, resource group, resource group location, legal terms and agreement and click Create button to enable encryption on a new IaaS VM.
Note: This template creates a new encrypted Windows VM using the Windows Server 2012 gallery image.
Disk encryption can be enabled on a new IaaS RedHat Linux 7.2 VM with a 200 GB RAID-0 array using this resource manager template. After the template is deployed, verify the VM encryption status using the Get-AzureRmVmDiskEncryptionStatus cmdlet as described in the section "Encrypting OS drive on a running Linux VM". When the machine returns status VMRestartPending, restart the VM.
You can see the Resource Manager template parameters details for new VM from Azure gallery scenario using Azure AD Client ID in the table below:
| Parameter | Description |
|---|---|
| adminUserName | Admin user name for the virtual machine |
| adminPassword | Admin user password for the virtual machine |
| newStorageAccountName | Name of the storage account to store OS and data VHDs |
| vmSize | Size of the VM. Currently, only Standard A, D and G series are supported |
| virtualNetworkName | Name of the VNet to which the VM NIC should belong to. |
| subnetName | Name of the subnet in the vNet to which the VM NIC should belong to |
| AADClientID | Client ID of the Azure AD app that has permissions to write secrets to Key Vault |
| AADClientSecret | Client Secret of the Azure AD app that has permissions to write secrets to Key Vault |
| keyVaultURL | URL of the Key Vault to which BitLocker key should be uploaded to. You can get it using the cmdlet: (Get-AzureRmKeyVault -VaultName,-ResourceGroupName ).VaultURI |
| keyEncryptionKeyURL | URL of the Key Encryption Key that's used to encrypt the generated BitLocker key. This is optional. |
| keyVaultResourceGroup | Resource Group of the key vault |
| vmName | Name of the VM on which encryption operation is to be performed |
Note: KeyEncryptionKeyURL is an optional parameter. You can bring your own KEK to further safeguard the data encryption key (Passphrase secret) in Key Vault.
In this scenario you can enable encrypting by using the Resource Manager template, PowerShell cmdlets or CLI commands. The sections below will explain in more details the Resource Manager template and CLI commands.
Follow the instructions from one of these sections for preparing pre-encrypted images that can be used in Azure. Once the image is created, the steps in the next section can be used for creating an encrypted Azure VM.
Disk encryption can be enabled on customer encrypted VHD using the Resource Manager template published here. Click on “Deploy to Azure” button on the Azure quickstart template, input encryption configuration in the parameters blade and click OK. Select the subscription, resource group, resource group location, legal terms and agreement and click Create button to enable encryption on new IaaS VM.
The Resource Manager template parameters details for customer encrypted VHD scenario are described in the table below:
| Parameter | Description |
|---|---|
| newStorageAccountName | Name of the storage account to store encrypted OS vhd. This storage account should have already been created in the same resource group and same location as the VM |
| osVhdUri | URI of OS vhd from storage account |
| osType | OS product type (Windows/Linux) |
| virtualNetworkName | Name of the VNet to which the VM NIC should belong to. This should have been already created in the same resource group and same location as the VM |
| subnetName | Name of the subnet in the vNet to which the VM NIC should belong to |
| vmSize | Size of the VM. Currently, only Standard A, D and G series are supported |
| keyVaultResourceID | ResourceID identifying the key vault resource in ARM. You can get it using the PowerShell cmdlet: (Get-AzureRmKeyVault -VaultName <yourKeyVaultName> -ResourceGroupName <yourResourceGroupName>).ResourceId |
| keyVaultSecretUrl | ?URL of the disk encryption key provisioned in key vault |
| keyVaultKekUrl | URL of the Key Encryption Key that’s to encrypt the generated disk encryption key |
| ?vmName | ?Name of the IaaS VM |
Disk encryption can be enabled on customer encrypted VHD using the PS cmdlets published here.
Follow the steps below to enable disk encryption for this scenario using CLI commands:
- Set access policies on Key Vault:
- Set ‘EnabledForDiskEncryption’ flag:
azure keyvault set-policy --vault-name <keyVaultName> --enabled-for-disk-encryption true - Set permissions to Azure AD app to write secrets to KeyVault:
azure keyvault set-policy --vault-name <keyVaultName> --spn <aadClientID> --perms-to-keys '["wrapKey"]' --perms-to-secrets '["set"]'
- Set ‘EnabledForDiskEncryption’ flag:
- To enable encryption on an existing/running VM, type:
azure vm enable-disk-encryption --resource-group <resourceGroupName> --name <vmName> --aad-client-id <aadClientId> --aad-client-secret <aadClientSecret> --disk-encryption-key-vault-url <keyVaultURL> --disk-encryption-key-vault-id <keyVaultResourceId> --volume-type [All|OS|Data] - Get encryption status:
azure vm show-disk-encryption-status --resource-group <resourceGroupName> --name <vmName> --json - To enable encryption on a new VM from customer encrypted VHD, use the below parameters with “azure vm create” command:
- disk-encryption-key-vault-id
- disk-encryption-key-url
- key-encryption-key-vault-id
- key-encryption-key-url
In this scenario you can enable encrypting by using the Resource Manager template, PowerShell cmdlets or CLI commands. The sections below will explain in more details how to enable it using Resource Manager template and CLI commands.
Disk encryption can be enabled on existing/running IaaS Windows VM in Azure using the Resource Manager template published here. Click on “Deploy to Azure” button on the Azure quickstart template, input encryption configuration in the parameters blade and click OK. Select the subscription, resource group, resource group location, legal terms and agreement and click Create button to enable encryption on existing/running IaaS VM.
The Resource Manager template parameters details for existing/running VM scenario using Azure AD Client ID are available in the table below:
| Parameter | Description |
|---|---|
| ?AADClientID | ?Client ID of the Azure AD app that has permissions to write secrets to Key Vault |
| AADClientSecret | ?Client Secret of the Azure AD app that has permissions to write secrets to Key Vault |
| keyVaultName | Name of the Key Vault to which BitLocker key should be uploaded to. You can get it using the cmdlet: (Get-AzureRmKeyVault -ResourceGroupName ). Vaultname |
| ? keyEncryptionKeyURL | URL of the Key Encryption Key that's used to encrypt the generated BitLocker key. This is optional if you select nokek in the UseExistingKek dropdown. If you select kek in the UseExistingKek dropdown, you must input the keyEncryptionKeyURL value |
| ?volumeType | ?Type of the volume on which encryption operation is performed. Valid values are "OS", "Data" , "All" |
| sequenceVersion | Sequence version of the BitLocker operation. Increment this version number every time a disk encryption operation is performed on the same VM |
| ?vmName | ?Name of the VM on which encryption operation is to be performed |
Note: KeyEncryptionKeyURL is an optional parameter. You can bring your own KEK to further safeguard the data encryption key (BitLocker encryption secret) in Key Vault.
Refer to the Explore Azure disk encryption with Azure PowerShell blog post part 1 and part 2 for details on how to enable encryption using Azure Disk Encryption using PS cmdlets.
Follow the steps below to enable encryption on existing/running IaaS Windows VM in Azure using CLI commands:
- Set access policies on Key Vault:
- Set ‘EnabledForDiskEncryption’ flag:
azure keyvault set-policy --vault-name <keyVaultName> --enabled-for-disk-encryption true - Set permissions to Azure AD app to write secrets to KeyVault:
azure keyvault set-policy --vault-name <keyVaultName> --spn <aadClientID> --perms-to-keys '["wrapKey"]' --perms-to-secrets '["set"]'
- Set ‘EnabledForDiskEncryption’ flag:
- To enable encryption on an existing/running VM:
azure vm enable-disk-encryption --resource-group <resourceGroupName> --name <vmName> --aad-client-id <aadClientId> --aad-client-secret <aadClientSecret> --disk-encryption-key-vault-url <keyVaultURL> --disk-encryption-key-vault-id <keyVaultResourceId> --volume-type [All|OS|Data] - Get encryption status:
azure vm show-disk-encryption-status --resource-group <resourceGroupName> --name <vmName> --json - To enable encryption on a new VM from customer encrypted VHD, use the below parameters with “azure vm create” command:
- disk-encryption-key-vault-id
- disk-encryption-key-url
- key-encryption-key-vault-id
- key-encryption-key-url
Disk encryption can be enabled on existing/running IaaS Linux VM in Azure using the Resource Manager template published here. Click on “Deploy to Azure” button on the Azure quickstart template, input encryption configuration in the parameters blade and click OK. Select the subscription, resource group, resource group location, legal terms and agreement and click Create button to enable encryption on existing/running IaaS VM.
The Resource Manager template parameters details for existing/running VM scenario using Azure AD Client ID are described in the table below:
| Parameter | Description |
|---|---|
| ?AADClientID | ?Client ID of the Azure AD app that has permissions to write secrets to Key Vault |
| AADClientSecret | ?Client Secret of the Azure AD app that has permissions to write secrets to Key Vault |
| keyVaultName | Name of the Key Vault to which BitLocker key should be uploaded to. You can get it using the cmdlet: (Get-AzureRmKeyVault -ResourceGroupName ). Vaultname |
| ? keyEncryptionKeyURL | URL of the Key Encryption Key that's used to encrypt the generated BitLocker key. This is optional if you select “nokek” in the UseExistingKek dropdown. If you select “kek” in the UseExistingKek dropdown, you must input the keyEncryptionKeyURL value |
| ?volumeType | ?Type of the volume on which encryption operation is performed. Valid supported values are "OS"/"All" (for RHEL 7.2, CentOS 7.2 & Ubuntu 16.04) and "Data" for all other distros. |
| sequenceVersion | Sequence version of the BitLocker operation. Increment this version number every time a disk encryption operation is performed on the same VM |
| ?vmName | ?Name of the VM on which encryption operation is to be performed |
| passPhrase | Type a strong passphrase as the data encryption key |
Note: KeyEncryptionKeyURL is an optional parameter. You can bring your own KEK to further safeguard the data encryption key (Passphrase secret) in Key Vault.
Disk encryption can be enabled on customer encrypted VHD using the CLI command installed from here. Follow the steps below to enable encryption on existing/running IaaS Linux VM in Azure using CLI commands:
- Set access policies on Key Vault:
- Set ‘EnabledForDiskEncryption’ flag:
azure keyvault set-policy --vault-name <keyVaultName> --enabled-for-disk-encryption true - Set permissions to Azure AD app to write secrets to KeyVault:
azure keyvault set-policy --vault-name <keyVaultName> --spn <aadClientID> --perms-to-keys '["wrapKey"]' --perms-to-secrets '["set"]'
- Set ‘EnabledForDiskEncryption’ flag:
- To enable encryption on an existing/running VM:
azure vm enable-disk-encryption --resource-group <resourceGroupName> --name <vmName> --aad-client-id <aadClientId> --aad-client-secret <aadClientSecret> --disk-encryption-key-vault-url <keyVaultURL> --disk-encryption-key-vault-id <keyVaultResourceId> --volume-type [All|OS|Data] - Get encryption status:
azure vm show-disk-encryption-status --resource-group <resourceGroupName> --name <vmName> --json - To enable encryption on a new VM from customer encrypted VHD, use the below parameters with “azure vm create” command.
- disk-encryption-key-vault-id
- disk-encryption-key-url
- key-encryption-key-vault-id
- key-encryption-key-url
You can get encryption status using Azure Resource Manager portal, PowerShell cmdlets or CLI commands. The sections below will explain how to use the Azure portal and CLI commands to get the encryption status.
You can get the encryption status of the IaaS VM from Azure Resource Manager portal. Logon to Azure portal at https://portal.azure.com/, click on virtual machines link in the left menu to see summary view of the virtual machines in your subscription. You can filter the virtual machines view by selecting the subscription name from the subscription dropdown. Click on columns located at the top of the virtual machines page menu. Select Disk Encryption column from the choose column blade and click update. You should see the disk encryption column showing the encryption state “Enabled” or “Not Enabled” for each VM as shown in the figure below.
You can get the encryption status of the IaaS VM from disk encryption PS cmdlet “Get-AzureRmVMDiskEncryptionStatus”. To get the encryption settings for your VM, type in your Azure PowerShell session:
C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName
-ExtensionName $ExtensionName
OsVolumeEncrypted : NotEncrypted
DataVolumesEncrypted : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : https://rheltest1keyvault.vault.azure.net/secrets/bdb6bfb1-5431-4c28-af46-b18d0025ef2a/abebacb83d864a5fa729508315020f8a
The output of Get-AzureRmVMDiskEncryptionStatus can be inspected for encryption key URLs.
C:\> $status = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMNam
e $VMName -ExtensionName $ExtensionName
C:\> $status.OsVolumeEncryptionSettings
DiskEncryptionKey KeyEncryptionKey Enabled
----------------- ---------------- -------
Microsoft.Azure.Management.Compute.Models.KeyVaultSecretReference Microsoft.Azure.Management.Compute.Models.KeyVaultKeyReference True
C:\> $status.OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl
https://rheltest1keyvault.vault.azure.net/secrets/bdb6bfb1-5431-4c28-af46-b18d0025ef2a/abebacb83d864a5fa729508315020f8a
C:\> $status.OsVolumeEncryptionSettings.DiskEncryptionKey
SecretUrl SourceVault
--------- -----------
https://rheltest1keyvault.vault.azure.net/secrets/bdb6bfb1-5431-4c28-af46-b18d0025ef2a/abebacb83d864a5fa729508315020f8a Microsoft.Azure.Management....
The OSVolumeEncrypted and DataVolumesEncrypted settings value are set to "Encrypted" showing that both the volumes are encrypted using Azure disk encryption. Refer to the Explore Azure disk encryption with Azure PowerShell blog post part 1 and part 2 for details on how to enable encryption using Azure Disk Encryption using PS cmdlets.
NOTE: On Linux VMs, the Get-AzureRmVMDiskEncryptionStatus cmdlet takes 3-4 minutes to report the encryption status.
You can get the encryption status of the IaaS VM from disk encryption CLI command azure vm show-disk-encryption-status. To get the encryption settings for your VM, type in your Azure CLI session:
azure vm show-disk-encryption-status --resource-group <yourResourceGroupName> --name <yourVMName> --json
You can disable encryption on a running Windows or Linux IaaS VM via the Azure disk encryption Resource Manager template or PS cmdlets and specifies the decryption configuration.
The disable encryption step disables encryption of the OS or data volume or both on the running Windows IaaS VM. You cannot disable the OS volume and leave the data volume encrypted. When the disable encryption step is performed, Azure classic deployment model updates the VM service model and the Windows IaaS VM is marked decrypted. The contents of the VM are not encrypted at rest anymore. The disable encryption does not delete the customer key vault and the encryption key material, which is BitLocker Encryption Keys for Windows and Passphrase for Linux.
The disable encryption step disables encryption of the data volume on the running Linux IaaS VM
NOTE: Disabling encryption on OS disk is not allowed on Linux VMs.
Disk encryption can be disabled on running Windows IaaS VM using the Resource Manager template published here. Click on “Deploy to Azure” button on the Azure quickstart template, input decryption configuration in the parameters blade and click OK. Select the subscription, resource group, resource group location, legal terms and agreement and click Create button to enable encryption on a new IaaS VM.
For Linux VM, this template can be used to disable encryption.
Resource Manager template parameters details for disabling encryption on running IaaS VM:
| ?vmName | ?Name of the VM on which encryption operation is to be performed |
|---|---|
| ?volumeType | ?Type of the volume on which decryption operation is performed. Valid values are "OS", "Data", "All". Note: You cannot disable encryption on running Windows IaaS VM OS/boot volume without disabling encryption on “Data” volume. Note: Disabling encryption on OS disk is not allowed on Linux VMs. |
| sequenceVersion | Sequence version of the BitLocker operation. Increment this version number every time a disk decryption operation is performed on the same VM |
To disable using the PS cmdlet, Disable-AzureRmVMDiskEncryption cmdlet disables encryption on an infrastructure as a service (IaaS) virtual machine. This cmdlet supports both Windows and Linux VMs. This cmdlet installs an extension on the virtual machine to disable encryption. If the Name parameter is not specified, an extension with the default name "AzureDiskEncryption for Windows VMs" is created.
On Linux VMs, the "AzureDiskEncryptionForLinux" extension is used.
Note: This cmdlet reboots the virtual machine.
Make sure to review the Prerequisites section in this document before proceeding. After ensuring that all prerequisites were fulfilled, follow the steps below to connect to your subscription:
1.Start an Azure PowerShell session and sign in to your Azure account with the following command:
Login-AzureRmAccount
2.If you have multiple subscriptions and want to specify a specific one to use, type the following to see the subscriptions for your account:
Get-AzureRmSubscription
3.To specify the subscription you want to use, type:
Select-AzureRmSubscription -SubscriptionName <Yoursubscriptionname>
4.To verify the subscription configured is correct, type:
Get-AzureRmSubscription
5.To confirm the Azure Disk Encryption cmdlets are installed, type:
Get-command *diskencryption*
6.You should see the below output confirming Azure Disk Encryption PowerShell installation:
PS C:\Windows\System32\WindowsPowerShell\v1.0> get-command *diskencryption*
CommandType Name Source
Cmdlet Get-AzureRmVMDiskEncryptionStatus AzureRM.Compute
Cmdlet Disable-AzureRmVMDiskEncryption AzureRM.Compute
Cmdlet Set-AzureRmVMDiskEncryptionExtension AzureRM.Compute
The sections that follow are necessary in order to prepare a pre-encrypted Windows VHD for deployment as an encrypted VHD in Azure IaaS. The steps are used to prepare and boot a fresh windows VM (vhd) on Hyper-V or Azure.
You need to configure the BitLocker Group Policy setting called BitLocker Drive Encryption, located under Local Computer Policy \Computer Configuration\Administrative Templates\Windows Components. Change this setting to: Operating System Drives - Require additional authentication at startup - Allow BitLocker without a compatible TPM as shown in the figure below:
For Windows Server 2012 and above use the below command:
dism /online /Enable-Feature /all /FeatureName:Bitlocker /quiet /norestart
For Windows Server 2008 R2 use the below command:
ServerManagerCmd -install BitLockers
Execute the command below to compress the OS partition and prepare the machine for BitLocker.
bdehdcfg -target c: shrink -quiet
Use the manage-bde command to enable encryption on the boot volume using an external key protector and place the external key (.bek file) on the external drive or volume. Encryption will be enabled on the system/boot volume after the next reboot.
manage-bde -on %systemdrive% -sk [ExternalDriveOrVolume]
reboot
Note: The VM needs to be prepared with a separate data/resource vhd for getting the external key using BitLocker.
Encryption of OS drive on a running Linux VM is supported on the following distros:
- RHEL 7.2
- CentOS 7.2
- Ubuntu 16.04
Prerequisites for OS disk encryption:
- VM must be created from Azure Gallery image in Azure Resource Manager portal.
- Azure VM with at least 4 GB of RAM (recommended size is 7 GB).
- (For RHEL and CentOS) SELinux must be disabled on the VM. The VM must be rebooted at least once after disabling SELinux.
1.Create a VM using one of the distros specified above.
For CentOS 7.2, OS disk encryption is supported via a special image. To use this image, specify "7.2n" as the Sku when creating the VM:
Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "OpenLogic" -Offer "CentOS" -Skus "7.2n" -Version "latest"
2.Configure the VM according to your needs. If you are going to encrypt all the (OS + data) drives the data drives need to be specified and mountable from /etc/fstab.
Note
You must use UUID=... to specify data drives in /etc/fstab instead of specifying the block device name, e.g., /dev/sdb1. During encryption the order of drives will change on the VM. If your VM relies on a specific order of block devices it will fail to mount them after encryption.
3.Logout SSH sessions.
4.To encrypt the OS, specify volumeType as "All" or "OS" when enabling encryption.
Note
All user-space processes that are not running as systemd services shall be killed with a SIGKILL. The VM shall be rebooted. Please plan on downtime of the VM when enabling OS disk encryption on a running VM.
5.Periodically monitor the progress of encryption using instructions in the next section.
6.Once Get-AzureRmVmDiskEncryptionStatus shows "VMRestartPending", restart your VM by either logging on to it or via Portal/PowerShell/CLI.
C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName
-ExtensionName $ExtensionName
OsVolumeEncrypted : VMRestartPending
DataVolumesEncrypted : NotMounted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : OS disk successfully encrypted, please reboot the VM
It is recommended to save boot diagnostics of the VM before rebooting.
There are three ways to monitor OS encryption progress.
1.Use the Get-AzureRmVmDiskEncryptionStatus cmdlet and inspect the ProgressMessage field:
OsVolumeEncrypted : EncryptionInProgress
DataVolumesEncrypted : NotMounted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : OS disk encryption started
Once the VM reaches "OS disk encryption started" it will take roughly 40-50 minutes on a Premium-storage backed VM.
Due to issue #388 in WALinuxAgent, OsVolumeEncrypted and DataVolumesEncrypted show up as Unknown in some distros. With WALinuxAgent version 2.1.5 and above this will be fixed automatically. In case you see Unknown in the output, you can verify disk encryption status by using Azure Resource Viewer.
Go to Azure Resource Viewer, then expand this hierarchy in the selection panel on left:
|-- subscriptions
|-- [Your subscription]
|-- resourceGroups
|-- [Your resource group]
|-- providers
|-- Microsoft.Compute
|-- virtualMachines
|-- [Your virtual machine]
|-- InstanceView
In the InstanceView, scroll down to see the encryption status of your drives.
2.Look at boot diagnostics. Messages from ADE extension shall be prefixed with [AzureDiskEncryption].
3.Logon on to the VM via SSH and getting the extension log from
/var/log/azure/Microsoft.Azure.Security.AzureDiskEncryptionForLinux
It is not recommended to log on to the VM while OS encryption is in progress. Therefore, the logs should be copied only when other two methods have failed.
1.Select "Configure encrypted volumes" when partitioning disks.
2.Create a separate boot drive which must not be encrypted. Encrypt your root drive.
3.Provide a passphrase. This is the passphrase that you will upload into KeyVault.
4.Finish partitioning.
5.When booting the VM, you will be asked for a passphrase. Use the passphrase you provided in step 3.
6.Prepare VM for uploading into Azure using these instructions. Do not run the last step (deprovisioning the VM) yet.
1.Create a file under /usr/local/sbin/azure_crypt_key.sh, with the content in the script below. Pay attention to the KeyFileName, because it is the passphrase file name put by Azure.
#!/bin/sh
MountPoint=/tmp-keydisk-mount
KeyFileName=LinuxPassPhraseFileName
echo "Trying to get the key from disks ..." >&2
mkdir -p $MountPoint
modprobe vfat >/dev/null 2>&1
modprobe ntfs >/dev/null 2>&1
sleep 2
OPENED=0
cd /sys/block
for DEV in sd*; do
echo "> Trying device: $DEV ..." >&2
mount -t vfat -r /dev/${DEV}1 $MountPoint >/dev/null||
mount -t ntfs -r /dev/${DEV}1 $MountPoint >/dev/null
if [ -f $MountPoint/$KeyFileName ]; then
cat $MountPoint/$KeyFileName
umount $MountPoint 2>/dev/null
OPENED=1
break
fi
umount $MountPoint 2>/dev/null
done
if [ $OPENED -eq 0 ]; then
echo "FAILED to find suitable passphrase file ..." >&2
echo -n "Try to enter your password: " >&2
read -s -r A </dev/console
echo -n "$A"
else
echo "Success loading keyfile!" >&2
fi
2.Change the crypt config in /etc/crypttab. It should look like this:
xxx_crypt uuid=xxxxxxxxxxxxxxxxxxxxx none luks,discard,keyscript=/usr/local/sbin/azure_crypt_key.sh
3.If you are editing the azure_crypt_key.sh in Windows and copied it to Linux, do not forget to run dos2unix /usr/local/sbin/azure_crypt_key.sh.
4.Add executable permissions to the script:
chmod +x /usr/local/sbin/azure_crypt_key.sh
4.Edit /etc/initramfs-tools/modules by appending lines:
vfat
ntfs
nls_cp437
nls_utf8
nls_iso8859-1
5.Run update-initramfs -u -k all to update the initramfs to make the keyscript take effect.
6.Now you can deprovision the VM.
7.Continue to next step and upload your VHD into Azure.
1.Select "Encrypt Volume Group" when partitioning disks. Provide a passphrase. This is the passphrase that you will upload into KeyVault.
2.Boot the VM using your passphrase.
3.Prepare VM for uploading into Azure using these instructions. Do not run the last step (deprovisioning the VM) yet.
1.Edit the /etc/dracut.conf and add the following line:
add_drivers+=" vfat ntfs nls_cp437 nls_iso8859-1"
2.Comment out these lines by the end of the file “/usr/lib/dracut/modules.d/90crypt/module-setup.sh”:
# inst_multiple -o \
# $systemdutildir/system-generators/systemd-cryptsetup-generator \
# $systemdutildir/systemd-cryptsetup \
# $systemdsystemunitdir/systemd-ask-password-console.path \
# $systemdsystemunitdir/systemd-ask-password-console.service \
# $systemdsystemunitdir/cryptsetup.target \
# $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
# systemd-ask-password systemd-tty-ask-password-agent
# inst_script "$moddir"/crypt-run-generator.sh /sbin/crypt-run-generator
3.Append the following line at the beginning of the file “/usr/lib/dracut/modules.d/90crypt/parse-crypt.sh”
DRACUT_SYSTEMD=0
and change all occurrences of
if [ -z "$DRACUT_SYSTEMD" ]; then
to
if [ 1 ]; then
4.Edit /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh and append this after the “# Open LUKS device”
MountPoint=/tmp-keydisk-mount
KeyFileName=LinuxPassPhraseFileName
echo "Trying to get the key from disks ..." >&2
mkdir -p $MountPoint >&2
modprobe vfat >/dev/null >&2
modprobe ntfs >/dev/null >&2
for SFS in /dev/sd*; do
echo "> Trying device:$SFS..." >&2
mount ${SFS}1 $MountPoint -t vfat -r >&2 ||
mount ${SFS}1 $MountPoint -t ntfs -r >&2
if [ -f $MountPoint/$KeyFileName ]; then
echo "> keyfile got..." >&2
cp $MountPoint/$KeyFileName /tmp-keyfile >&2
luksfile=/tmp-keyfile
umount $MountPoint >&2
break
fi
done
5.Run the “/usr/sbin/dracut -f -v” to update the initrd.
6.Now you can deprovision the VM and upload your VHD into Azure.
1.Select "Encrypt my data" when partitioning disks.
2.Make sure "Encrypt" is selected for root partition.
3.Provide a passphrase. This is the passphrase that you will upload into KeyVault.
4.When booting the VM, you will be asked for a passphrase. Use the passphrase you provided in step 3.
5.Prepare VM for uploading into Azure using these instructions. Do not run the last step (deprovisioning the VM) yet.
6.Now you can deprovision the VM and upload your VHD into Azure.
1.Edit the /etc/dracut.conf and add the following line:
add_drivers+=" vfat ntfs nls_cp437 nls_iso8859-1"
2.Comment out these lines by the end of the file “/usr/lib/dracut/modules.d/90crypt/module-setup.sh”:
# inst_multiple -o \
# $systemdutildir/system-generators/systemd-cryptsetup-generator \
# $systemdutildir/systemd-cryptsetup \
# $systemdsystemunitdir/systemd-ask-password-console.path \
# $systemdsystemunitdir/systemd-ask-password-console.service \
# $systemdsystemunitdir/cryptsetup.target \
# $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
# systemd-ask-password systemd-tty-ask-password-agent
# inst_script "$moddir"/crypt-run-generator.sh /sbin/crypt-run-generator
3.Append the following line at the beginning of the file “/usr/lib/dracut/modules.d/90crypt/parse-crypt.sh”
DRACUT_SYSTEMD=0
and change all occurrences of
if [ -z "$DRACUT_SYSTEMD" ]; then
to
if [ 1 ]; then
4.Edit /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh and append this after the “# Open LUKS device”
MountPoint=/tmp-keydisk-mount
KeyFileName=LinuxPassPhraseFileName
echo "Trying to get the key from disks ..." >&2
mkdir -p $MountPoint >&2
modprobe vfat >/dev/null >&2
modprobe ntfs >/dev/null >&2
for SFS in /dev/sd*; do
echo "> Trying device:$SFS..." >&2
mount ${SFS}1 $MountPoint -t vfat -r >&2 ||
mount ${SFS}1 $MountPoint -t ntfs -r >&2
if [ -f $MountPoint/$KeyFileName ]; then
echo "> keyfile got..." >&2
cp $MountPoint/$KeyFileName /tmp-keyfile >&2
luksfile=/tmp-keyfile
umount $MountPoint >&2
break
fi
done
5.Run the “/usr/sbin/dracut -f -v” to update the initrd.
Once BitLocker encryption pr DM-Crypt encryption is enabled, the local encrypted VHD needs to be uploaded to your storage account.
Add-AzureRmVhd [-Destination] <Uri> [-LocalFilePath] <FileInfo> [[-NumberOfUploaderThreads] <Int32> ] [[-BaseImageUriToPatch] <Uri> ] [[-OverWrite]] [ <CommonParameters>]
The disk encryption secret obtained previously needs to be uploaded as a secret in Key Vault. The Key Vault needs to have permissions enabled for your AAD client as well as disk encryption.
$AadClientId = "YourAADClientId"
$AadClientSecret = "YourAADClientSecret"
$KeyVault = New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $Location
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -ServicePrincipalName $AadClientId -PermissionsToKeys all -PermissionsToSecrets all
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -EnabledForDiskEncryption
Use Set-AzureKeyVaultSecret to provision the secret in key vault. In case of a Windows virtual machine, the bek file is encoded as a base64 string and then uploaded to key vault using the Set-AzureKeyVaultSecret cmdlet. For Linux, the passphrase is encoded as a base64 string and then uploaded to Key Vault. In addition, make sure that the following tags are set while creating the secret in key vault.
# This is the passphrase that was provided for encryption during distro install
$passphrase = "contoso-password"
$tags = @{"DiskEncryptionKeyEncryptionAlgorithm" = "RSA-OAEP"; "DiskEncryptionKeyFileName" = "LinuxPassPhraseFileName"}
$secretName = [guid]::NewGuid().ToString()
$secretValue = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($passphrase))
$secureSecretValue = ConvertTo-SecureString $secretValue -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $secretName -SecretValue $secureSecretValue -tags $tags
$secretUrl = $secret.Id
The $secretUrl shall be used in the next step for attaching the OS disk without using KEK.
The secret can optionally be encrypted with a Key Encryption Key before uploading to Key vault. Use the wrap API to first encrypt the secret using the Key Encryption Key. The output of this wrap operation is a base64 URL encoded string which is then uploaded as a secret using the Set-AzureKeyVaultSecret cmdlet.
# This is the passphrase that was provided for encryption during distro install
$passphrase = "contoso-password"
Add-AzureKeyVaultKey -VaultName $KeyVaultName -Name "keyencryptionkey" -Destination Software
$KeyEncryptionKey = Get-AzureKeyVaultKey -VaultName $KeyVault.OriginalVault.Name -Name "keyencryptionkey"
$apiversion = "2015-06-01"
##############################
# Get Auth URI
##############################
$uri = $KeyVault.VaultUri + "/keys"
$headers = @{}
$response = try { Invoke-RestMethod -Method GET -Uri $uri -Headers $headers } catch { $_.Exception.Response }
$authHeader = $response.Headers["www-authenticate"]
$authUri = [regex]::match($authHeader, 'authorization="(.*?)"').Groups[1].Value
Write-Host "Got Auth URI successfully"
##############################
# Get Auth Token
##############################
$uri = $authUri + "/oauth2/token"
$body = "grant_type=client_credentials"
$body += "&client_id=" + $AadClientId
$body += "&client_secret=" + [Uri]::EscapeDataString($AadClientSecret)
$body += "&resource=" + [Uri]::EscapeDataString("https://vault.azure.net")
$headers = @{}
$response = Invoke-RestMethod -Method POST -Uri $uri -Headers $headers -Body $body
$access_token = $response.access_token
Write-Host "Got Auth Token successfully"
##############################
# Get KEK info
##############################
$uri = $KeyEncryptionKey.Id + "?api-version=" + $apiversion
$headers = @{"Authorization" = "Bearer " + $access_token}
$response = Invoke-RestMethod -Method GET -Uri $uri -Headers $headers
$keyid = $response.key.kid
Write-Host "Got KEK info successfully"
##############################
# Encrypt passphrase using KEK
##############################
$passphraseB64 = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($Passphrase))
$uri = $keyid + "/encrypt?api-version=" + $apiversion
$headers = @{"Authorization" = "Bearer " + $access_token; "Content-Type" = "application/json"}
$bodyObj = @{"alg" = "RSA-OAEP"; "value" = $passphraseB64}
$body = $bodyObj | ConvertTo-Json
$response = Invoke-RestMethod -Method POST -Uri $uri -Headers $headers -Body $body
$wrappedSecret = $response.value
Write-Host "Encrypted passphrase successfully"
##############################
# Store secret
##############################
$secretName = [guid]::NewGuid().ToString()
$uri = $KeyVault.VaultUri + "/secrets/" + $secretName + "?api-version=" + $apiversion
$secretAttributes = @{"enabled" = $true}
$secretTags = @{"DiskEncryptionKeyEncryptionAlgorithm" = "RSA-OAEP"; "DiskEncryptionKeyFileName" = "LinuxPassPhraseFileName"}
$headers = @{"Authorization" = "Bearer " + $access_token; "Content-Type" = "application/json"}
$bodyObj = @{"value" = $wrappedSecret; "attributes" = $secretAttributes; "tags" = $secretTags}
$body = $bodyObj | ConvertTo-Json
$response = Invoke-RestMethod -Method PUT -Uri $uri -Headers $headers -Body $body
Write-Host "Stored secret successfully"
$secretUrl = $response.id
The $KeyEncryptionKey and $secretUrl shall be used in the next step for attaching the OS disk using KEK.
While attaching the OS disk, $secretUrl needs to be passed. The URL was generated in the section "disk encryption secret not encrypted with a KEK".
Set-AzureRmVMOSDisk `
-VM $VirtualMachine `
-Name $OSDiskName `
-SourceImageUri $VhdUri `
-VhdUri $OSDiskUri `
-Linux `
-CreateOption FromImage `
-DiskEncryptionKeyVaultId $KeyVault.ResourceId `
-DiskEncryptionKeyUrl $SecretUrl
While attaching the OS disk, $KeyEncryptionKey and $secretUrl need to be passed. The URL was generated in the section "disk encryption secret encrypted with a KEK".
Set-AzureRmVMOSDisk `
-VM $VirtualMachine `
-Name $OSDiskName `
-SourceImageUri $CopiedTemplateBlobUri `
-VhdUri $OSDiskUri `
-Linux `
-CreateOption FromImage `
-DiskEncryptionKeyVaultId $KeyVault.ResourceId `
-DiskEncryptionKeyUrl $SecretUrl `
-KeyEncryptionKeyVaultId $KeyVault.ResourceId `
-KeyEncryptionKeyURL $KeyEncryptionKey.Id
You can download this guide from the TechNet Gallery.
Explore Azure Disk Encryption with Azure PowerShell
Explore Azure Disk Encryption with Azure PowerShell - Part 2