In this Azure tutorial, we will discuss Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell, Along with this, we will also discuss a few other topics like What is disk encryption in Azure?, How To Enable Disk Encryption in Azure Portal.
Table of Contents
- Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell
- What is disk encryption in Azure?
- Prerequisites
- Connect with Azure
- Creating the Resource Group using PowerShell
- Enabling Azure Key Vault using PowerShell
- Creating Azure Key Vault using PowerShell
- Creating Access Policy using PowerShell
- Creating a new encryption key using PowerShell
- Creating the Virtual Machine using PowerShell
- How to Encrypt Azure Linux VM
- How To Enable Disk Encryption in Azure Portal
- Wrapping Up
Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell
Well, here we will discuss an interesting topic i.e Step-by-Step Guide to Encrypt Azure Linux VM using PowerShell. But before that, we will discuss What is disk encryption in Azure?
What is disk encryption in Azure?
Azure disk encryption is an excellent feature that actually helps you to protect your data, safeguard your data. When the security of data comes into the picture inside the Azure virtual machine, you can think about the Azure disk encryption which is the best option to encrypt the Azure VM with Azure AD, Azure Key Vault, etc.
Prerequisites
Consider the below points as the Prerequisites in this case
- It should be with the Ubuntu 14.04.5, 16.04, 18.04, or higher versions.
- It should be CentOS 6.8, 7.2n, 7.x versions.
- Should be configured with a minimum of 8 GB RAM.
- It must have dm-crypt & VFAT modules running on it.
- Must install the Azure PowerShell module.
Now, Assuming you are ready with all the prerequisites, Let’s start the actual functionality to encrypt Azure Linux VM using PowerShell. The first step is to connect with Azure
Connect with Azure
You can use the below PowerShell cmdlet to connect to Azure
PS C:\WINDOWS\system32> Connect-AzAccountOnce, you will run the above command, It will prompt you to enter your Azure credentials and then you will see the output like below.
Creating the Resource Group using PowerShell
Now, as the next step, we need to create a new Resource group using the below PowerShell cmdlet.
PS C:\WINDOWS\system32> New-AzResourceGroup -Name DEMORG1 -Location "East US"Here, the name of my resource group is DEMORG1 and the location of my resource group is “East US”. Now let’s run the above PowerShell cmdlet to create the Azure Resource group. You can able to see that the resource group has been successfully created without any issue.
The complete output is as below
ResourceGroupName : DEMORG1
Location : eastus
ProvisioningState : Succeeded
Tags :
ResourceId : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5cbd1/resourceGroups
/DEMORG1Enabling Azure Key Vault using PowerShell
Let’s enable the Azure Key vault for the subscription using the below PowerShell cmdlet.
PS C:\WINDOWS\system32> Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"Once, you will execute the above PowerShell cmdlet, you can able to see we got the expected output as below.
The complete output is as below
ProviderNamespace : Microsoft.KeyVault
RegistrationState : Registered
ResourceTypes : {vaults, vaults/secrets, vaults/accessPolicies, operations...}
Locations : {North Central US, East US, North Europe, West Europe...}Creating Azure Key Vault using PowerShell
Now once, you have enabled the Azure Key vault for the subscription, let’s go ahead and create the Azure Key Vault by enabling the Disk encryption using PowerShell cmdlet.
PS C:\WINDOWS\system32> New-AzKeyVault -Location "East US" -ResourceGroupName DEMORG1
-VaultName DEMOVAULTfg -EnabledForDiskEncryptionOn the above PowerShell cmdlet, DEMORG1 is the name of my resource group that I have created above and DEMOVAULTfg is the Azure Key Vault name. Let’s run the above PowerShell cmdlet and you can able to see that we got the expected output
The complete output is as below
Vault Name : DEMOVAULfg
Resource Group Name : DEMORG1
Location : East US
Resource ID : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c
bd1/resourceGroups/DEMORG1/providers/Microsoft.K
eyVault/vaults/DEMOVAULfg
Vault URI : https://demovaulfg.vault.azure.net/
Tenant ID : 5d9d690a-0310-474d-ae8b-42df2d549228
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : True
Enabled For RBAC Authorization? : False
Soft Delete Enabled? : True
Enabled Purge Protection? :
Soft Delete Retention Period (days) : 90
Enabled Purge Protection? :
Access Policies :
Network Rule Set :
Default Action :
Allow
Bypass :
AzureServices
IP Rules :
Virtual Network Rules :
Tags : Creating Access Policy using PowerShell
We have already created the Azure Key Vault. Now is the time to create the access policy. You can use the below PowerShell cmdlet.
Set-AzKeyVaultAccessPolicy -VaultName DEMOVAULfg -ObjectId 54481342-e592-47c2-ba89-b07dcadf9346 -PermissionsToKeys create,import,delete,list,get -PermissionsToSecrets set,delete -PassThruIn the above PowerShell cmdlet, replace the ObjectId with your currently logged in global admin account. Once we have executed the above script, you can able to see the output below.
The complete output is as below
Vault Name : DEMOVAULfg
Resource Group Name : DEMORG1
Location : East US
Resource ID : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c
bd1/resourceGroups/DEMORG1/providers/Microsoft.K
eyVault/vaults/DEMOVAULfg
Vault URI : https://demovaulfg.vault.azure.net/
Tenant ID : xxxxxxx-0xxx-xxxx-xxxx-42xxxx49228
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : True
Enabled For RBAC Authorization? : False
Soft Delete Enabled? : True
Enabled Purge Protection? :
Soft Delete Retention Period (days) : 90
Enabled Purge Protection? :
Access Policies :
Tenant ID :
xxxxxxxxx-0xxx-xxxx-ae8b-4xxxxd549228
Object ID :
xxxxxxxx-e592-xxxx-ba89-xxxxcadf9xxx
Application ID :
Display Name :
Bijay Kumar Sahoo (fewlines4biju_hotmail.com#EXT
#@fewlines4bijuhotmail.onmicrosoft.com)
Permissions to Keys :
create, import, delete, list, get
Permissions to Secrets :
set, delete
Permissions to Certificates :
Permissions to (Key Vault Managed) Storage :
Network Rule Set :
Default Action :
Allow
Bypass :
AzureServices
IP Rules :
Virtual Network Rules :
Tags :
Creating a new encryption key using PowerShell
Now, the next step is to create a new encryption key using the below PowerShell cmdlet.
Add-AzKeyVaultKey -VaultName DEMOVAULfg -Name "DEMOVMKey" -Destination "Software"Once you will execute the above PowerShell cmdlet, you can able to see we got the expected output. One more thing to note down here is for the Destination as “Software” or “HSM”. But, for HSM, you need to pay extra cost. So based on your requirement you can choose.
You can see the complete output as below
Vault/HSM Name : demovaulfg
Name : DEMOVMKey
Version : b35cc866d1334086aecbb189aa8c6dff
Id : https://demovaulfg.vault.azure.net:443/keys/DEMOVMKey/b35cc866d133408
6aecbb189aa8c6dff
Enabled : True
Expires :
Not Before :
Created : 12/19/2020 3:42:55 PM
Updated : 12/19/2020 3:42:55 PM
Recovery Level : Recoverable+Purgeable
Tags : Creating the Virtual Machine using PowerShell
Well, let’s create a Linux Virtual machine where we will use the encryption feature. You can use the below PowerShell cmdlet to create the Azure Linux Virtual Machine.
To create the Virtual network, PublicIP, Subnet, you can check out How To Move Azure VM To A Different Resource Group PowerShell? now.
$loginDetails = Get-Credential
New-AzVm -ResourceGroupName DEMORG1 -Name "TSINFOVM08" -Location "eastus" -VirtualNetworkName "TsinfoNewVN" -SubnetName "myvmsubnet" -PublicIpAddressName "TSINFOVMIP" -OpenPorts 22 -Image Canonical:UbuntuServer:16.04-LTS:latest -Size Standard_D2s_v3 -Credential $loginDetailsOnce, we have executed the above PowerShell script, you can able to see we got the expected output and the Linux Virtual Machine has been created successfully.
The complete output is as below
ResourceGroupName : DEMORG1
Id : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5cbd1/resourc
eGroups/DEMORG1/providers/Microsoft.Compute/virtualMachines/TSINFOVM08
VmId : 371d11c5-190c-4afb-9c0a-49db16303b95
Name : TSINFOVM08
Type : Microsoft.Compute/virtualMachines
Location : eastus
Tags : {}
HardwareProfile : {VmSize}
NetworkProfile : {NetworkInterfaces}
OSProfile : {ComputerName, AdminUsername, LinuxConfiguration, Secrets,
AllowExtensionOperations, RequireGuestProvisionSignal}
ProvisioningState : Succeeded
StorageProfile : {ImageReference, OsDisk, DataDisks}
FullyQualifiedDomainName : tsinfovm08-759e49.eastus.cloudapp.azure.comNow, our Virtual machine is ready, let’s implement the Encryption feature for that virtual machine.
How to Encrypt Azure Linux VM
To encrypt the Azure Linux Virtual Machine, we need the Resource ID, URI, key ID of the Azure Key Vault. You can use the below PowerShell cmdlet to get the Resource ID, URI value of the Azure Key Vault.
Get-AzKeyVault -VaultName DEMOVAULfg -ResourceGroupName DEMORG1 | flOnce we have executed the above PowerShell script, you can able to see we got the Resource ID, URI value of the Azure Key Vault
The complete output is as below
Vault Name : DEMOVAULfg
Resource Group Name : DEMORG1
Location : East US
Resource ID : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c
bd1/resourceGroups/DEMORG1/providers/Microsoft.K
eyVault/vaults/DEMOVAULfg
Vault URI : https://demovaulfg.vault.azure.net/
Tenant ID : 5xxxxxxx-0310-xxxx-axxx-42df2d549228
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : True
Enabled For RBAC Authorization? : False
Soft Delete Enabled? : True
Enabled Purge Protection? :
Soft Delete Retention Period (days) : 90
Enabled Purge Protection? :
Access Policies :
Tenant ID :
5xxxxxxx-0310-xxxx-axxx-42df2d549228
Object ID :
xxxxxxxx-e592-xxxx-xxxx-b07dxxxx9346
Application ID :
Display Name :
Bijay Kumar Sahoo (fewlines4biju_hotmail.com#EXT
#@fewlines4bijuhotmail.onmicrosoft.com)
Permissions to Keys :
create, import, delete, list, get
Permissions to Secrets :
set, delete
Permissions to Certificates :
Permissions to (Key Vault Managed) Storage :
Network Rule Set :
Default Action :
Allow
Bypass :
AzureServices
IP Rules :
Virtual Network Rules :
Tags :
Now as the next step, we need to get the Key vault key ID using the below PowerShell cmdlet.
Get-AzKeyVaultKey -VaultName DEMOVAULfg -Name DEMOVMKeyOnce we have executed the above PowerShell script, you can able to see that we got the expected output without any issue.
Here is the complete output as below
Vault/HSM Name : demovaulfg
Name : DEMOVMKey
Version : b35cc866d1334086aecbb189aa8c6dff
Id : https://demovaulfg.vault.azure.net:443/keys/DEMOVMKey/xxxxxxx33408
6aecbb189aa8c6dff
Enabled : True
Expires :
Not Before :
Created : 12/19/2020 3:42:55 PM
Updated : 12/19/2020 3:42:55 PM
Recovery Level : Recoverable+Purgeable
Tags : Now the time to encrypt the Azure Linux virtual machine using the below PowerShell cmdlet
Set-AzVMDiskEncryptionExtension -ResourceGroupName DEMORG1 -VMName "TSINFOVM08" -DiskEncryptionKeyVaultUrl https://demovaulfg.vault.azure.net/ -DiskEncryptionKeyVaultId /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c bd1/resourceGroups/DEMORG1/providers/Microsoft.KeyVault/vaults/DEMOVAULfg -KeyEncryptionKeyUrl https://demovaulfg.vault.azure.net:443/keys/DEMOVMKey/b35cc866d133408 -KeyEncryptionKeyVaultId /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c bd1/resourceGroups/DEMORG1/providers/Microsoft.KeyVault/vaults/DEMOVAULfg -VolumeType All –SkipVmBackupOr, you can use the script as below
$RGName = "DEMORG1"
$VMName = "TSINFOVM08"
$VaultName= "DEMOVAULfg"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType –SkipVmBackupNow, once you have executed the above PowerShell script, click on the Yes button to confirm the Encryption on the below Popup.
Now, you can able to see below that the Encryption for the Azure Linux VM has been set successfully without any issue.
The complete output is as below
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
True OK OK Now, to make sure that the Encryption for the Azure Linux VM has been done properly, Let’s Login to the Azure portal and navigate to the Azure Linux Virtual Machine and check if the Encryption is enabled. You can able to see the VM Disk status is Encryption Enabled.
How To Enable Disk Encryption in Azure Portal
Well, we have discussed above, Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell. Now, the time to discuss How To Enable Disk Encryption in Azure Portal. Follow the below steps to Enable Disk Encryption in Azure Portal.
Step-1: Login to the Azure Portal (https://portal.azure.com/)
Step-2: Search for the Virtual machines and click on the search result Virtual machines. Now, you can able to see the list of virtual machines you have created on the Virtual machines page. Click on the Virtual machine from the list of VMs, that you want to Encrypt.
Step-3: On the Virtual machine page, click on the “Disks” from the left navigation and then click on the “Additional settings” link from the right side as highlighted below.
Step-4: On the Disk settings page, select the Disks to encrypt as “OS and data disks” and then select the key vault and key, click on the “Click to select a key” link as highlighted below.
Step-5: On the Select key from the Azure Key Vault page, Select the existing Key vault, Key, and version. If you don’t have an existing Key vault, Key, and version, then click on the Create new link to create a new Key Vault, Key, and version, and then click on the Select button from the bottom on the same page. Now, click on the Create new link for the Key vault.
Step-6: On the Create key vault page, provide the below options
- Subscription: Select the correct subscription that you want to use here to create key vault.
- Resource group: You can select either your existing resource group or you can click on the Create new link to create a new resource group if you don’t have any existing resource group.
- Key Vault Name: Provide a unique name for the Azure Key Vault.
- Region: Select the region for your Azure Key Vault.
- Pricing tier: Select the Pricing tier as per your requirement.
- Days to retain deleted vaults: Select the Days to retain deleted vaults based on your requirement.
- Purge Protection: Select the Purge Protection option based on your requirement.
These are the changes you need to make on the Basics tab.
On the Create key vault page, click on the Access Policy tab, make sure to select the “Azure Disk Encryption for volume encryption” option as shown below, and then click on the Review + Create button.
Now, it will validate all the options provided by you and then will show you the Validation passed message. You can able to see the Create button now. Click on the Create button to create the Azure Key Vault.
Step-7: Now on the Select key from the Azure Key Vault page, It will populate the Key Vault that you have created just before. Leave the other option Empty and then click on the Select button from the bottom of the page.
Step-8: Now on the Disk settings page, click on the Save button from the bottom of the page. You can able to see Successfully updated disk encryption settings as shown below.
So, this is How To Enable Disk Encryption in Azure Portal.
You may also like to follow the below articles
- How To Create Azure Windows Virtual Machine From A Snapshot PowerShell
- Everything You Need to Know About Azure Cognitive Services
- The Specified Module ‘AzureRM’ Was Not Loaded
- Azure Cognitive Services Text Analytics Python SDK
- How To Create PowerShell Azure Function
Wrapping Up
Well, in this article, we have discussed Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell, What is disk encryption in Azure?, How To Enable Disk Encryption in Azure Portal, etc. Hope you have enjoyed this article !!!