What is Azure Key Vault?
Azure Key Vault help us to safeguard cryptographic keys and secrets used by cloud applications & services. We can use Key Vault for storing keys & secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords. Key Vault streamline the key management process and enables you to maintain control of keys that access and encrypt your data.
Lets look how we can leverage the Key Vault to encrypt Azure VM.
First we have to create an Azure Key Vault for this demo I use PowerShell, as an alternative we can use Portal.
#Define Veriables $keyVaultName = 'KVcontoso' $RGName = 'KeyVault' $location = 'Southeast Asia' $aadClientSecret = 'contosoClientSec' $appDisplayName = 'contosoEncryptApp' #Create New RG New-AzureRmResourceGroup -Name $RGName -Location $location #Create Key Vault New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $RGName -Location $location
As of the creation of the key vault you will grant the relevant access policies. We can change those permission as our requirements.
Next we have to enable the Enabled For Disk Encryption access policy.
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $RGName -EnabledForDiskEncryption
Lets see is it enabled
Get-AzureRmKeyVault -VaultName $keyVaultName
In Portal
Register AAD (Azure AD) application we use this application to encrypt the services and applications.
For -HomePage -IdentifierUris we can use a meaningful URI
$aadApp = New-AzureRmADApplication -DisplayName $appDisplayName -HomePage 'http://homeEcryptApp' -IdentifierUris 'http://uriContosoEncryptApp' -Password $aadClientSecret
Lets check the AAD for the app registration
Next step we need to assign Key Vault permission to newly created app.
$appID = $aadApp.ApplicationId $aadServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $appID Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $appID -PermissionsToKeys all -PermissionsToSecrets all
Lets deploy Azure VM and enable the disk encryption for OS disk
Before Encryption
Now we’ll enable the drive encryption. Following code I declare additional variable that required for encryption
#encript OS Disk $keyvault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $RGName $keyVaultURI = $keyvault.VaultUri $keyvaultRID = $keyvault.ResourceId $kekURI = $keyvault $vmName = (Get-AzureRmVM -ResourceGroupName $RGName -Name keyvaultvm).Name Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName -VMName $vmName -AadClientID $adapp.ApplicationId -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $keyVaultURI -DiskEncryptionKeyVaultId $keyvaultRID -Verbose
You will get the following prompt when enable the encryption on disks. It will take 10-15 Min and restart the VM.
If the encryption succeed you will get following output
Now Lets see inside the VM and verify the OS disk is encripted.
As you see above the disk are encrypted using Bitlocker. Lets see it in the portal and verify the secret is created for this VM.
