Encrypt Virtual Machine Using Azure Key Vault.

What is Azure Key Vault?

Azure Key Vault help us to safeguard cryptographic keys and secrets used by cloud applications & services. We can use Key Vault for storing keys & secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords. Key Vault streamline the key management process and enables you to maintain control of keys that access and encrypt your data.

Lets look how we can leverage the Key Vault to encrypt Azure VM.

First we have to create an Azure Key Vault for this demo I use PowerShell, as an alternative we can use Portal.

#Define Veriables

$keyVaultName = 'KVcontoso'
$RGName = 'KeyVault'
$location = 'Southeast Asia'
$aadClientSecret = 'contosoClientSec'
$appDisplayName = 'contosoEncryptApp'

#Create New RG
New-AzureRmResourceGroup -Name $RGName -Location $location

#Create Key Vault
New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $RGName -Location $location 

1

As of the creation of the key vault you will grant the relevant access policies. We can change those permission as our requirements.

2

Next we have to enable the Enabled For Disk Encryption access policy.

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $RGName -EnabledForDiskEncryption

Lets see is it enabled

Get-AzureRmKeyVault -VaultName $keyVaultName

3

In Portal

4

Register AAD (Azure AD) application we use this application to encrypt the services and applications.

For -HomePage  -IdentifierUris  we can use a meaningful  URI

$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://homeEcryptApp' -IdentifierUris 'http://uriContosoEncryptApp' -Password $aadClientSecret

5

Lets check the AAD for the app registration

6

Next step we need to assign Key Vault permission to newly created app.

$appID = $aadApp.ApplicationId
$aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $appID -PermissionsToKeys all -PermissionsToSecrets all

7

Lets deploy Azure VM and enable the disk encryption for OS disk

Before Encryption

8

Now we’ll enable the drive encryption. Following code I declare additional variable that required for encryption

#encript OS Disk

$keyvault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $RGName
$keyVaultURI = $keyvault.VaultUri
$keyvaultRID = $keyvault.ResourceId
$kekURI = $keyvault
$vmName = (Get-AzureRmVM -ResourceGroupName $RGName -Name keyvaultvm).Name

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $adapp.ApplicationId -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $keyVaultURI -DiskEncryptionKeyVaultId $keyvaultRID -Verbose

You will get the following prompt when enable the encryption on disks. It will take 10-15 Min and restart the VM.
9

If the encryption succeed you will get following output
10

Now Lets see inside the VM and verify the OS disk is encripted.
11
As you see above the disk are encrypted using Bitlocker. Lets see it in the portal and verify the secret is created for this VM.
12

 

, , , , ,

Post navigation