Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell

Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell

In this Azure tutorial, we will discuss Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell, Along with this, we will also discuss a few other topics like What is disk encryption in Azure?, How To Enable Disk Encryption in Azure Portal.

Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell

Well, here we will discuss an interesting topic i.e Step-by-Step Guide to Encrypt Azure Linux VM using PowerShell. But before that, we will discuss What is disk encryption in Azure?

What is disk encryption in Azure?

Azure disk encryption is an excellent feature that actually helps you to protect your data, safeguard your data. When the security of data comes into the picture inside the Azure virtual machine, you can think about the Azure disk encryption which is the best option to encrypt the Azure VM with Azure AD, Azure Key Vault, etc.

Prerequisites

Consider the below points as the Prerequisites in this case

  • It should be with the Ubuntu 14.04.5, 16.04, 18.04, or higher versions.
  • It should be CentOS 6.8, 7.2n, 7.x versions.
  • Should be configured with a minimum of 8 GB RAM.
  • It must have dm-crypt & VFAT modules running on it.
  • Must install the Azure PowerShell module.

Now, Assuming you are ready with all the prerequisites, Let’s start the actual functionality to encrypt Azure Linux VM using PowerShell. The first step is to connect with Azure

Connect with Azure

You can use the below PowerShell cmdlet to connect to Azure

PS C:\WINDOWS\system32> Connect-AzAccount

Once, you will run the above command, It will prompt you to enter your Azure credentials and then you will see the output like below.

How to Encrypt Azure Linux VM PowerShell

Create the Resource Group

Now, as the next step, we need to create a new Resource group using the below PowerShell cmdlet.

PS C:\WINDOWS\system32> New-AzResourceGroup -Name DEMORG1 -Location "East US"

Here, the name of my resource group is DEMORG1 and the location of my resource group is “East US”. Now let’s run the above PowerShell cmdlet to create the Azure Resource group. You can able to see that the resource group has been successfully created without any issue.

Step-by-Step Guide to Encrypt Azure Linux VM (PowerShell Guide)

The complete output is as below

ResourceGroupName : DEMORG1
Location          : eastus
ProvisioningState : Succeeded
Tags              : 
ResourceId        : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5cbd1/resourceGroups
                    /DEMORG1

Enable Azure Key Vault

Let’s enable the Azure Key vault for the subscription using the below PowerShell cmdlet.

PS C:\WINDOWS\system32> Register-AzResourceProvider -ProviderNamespace "Microsoft.KeyVault"

Once, you will execute the above PowerShell cmdlet, you can able to see we got the expected output as below.

PowerShell Basics: How to Encrypt Azure Linux VMs

The complete output is as below

ProviderNamespace : Microsoft.KeyVault
RegistrationState : Registered
ResourceTypes     : {vaults, vaults/secrets, vaults/accessPolicies, operations...}
Locations         : {North Central US, East US, North Europe, West Europe...}

Creating Azure Key Vault

Now once, you have enabled the Azure Key vault for the subscription, let’s go ahead and create the Azure Key Vault by enabling the Disk encryption using PowerShell cmdlet.

PS C:\WINDOWS\system32> New-AzKeyVault -Location "East US" -ResourceGroupName DEMORG1
 -VaultName DEMOVAULTfg -EnabledForDiskEncryption

On the above PowerShell cmdlet, DEMORG1 is the name of my resource group that I have created above and DEMOVAULTfg is the Azure Key Vault name. Let’s run the above PowerShell cmdlet and you can able to see that we got the expected output

Azure Disk Encryption scenarios on Linux VMs

The complete output is as below

Vault Name                          : DEMOVAULfg
Resource Group Name                 : DEMORG1
Location                            : East US
Resource ID                         : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c
                                      bd1/resourceGroups/DEMORG1/providers/Microsoft.K
                                      eyVault/vaults/DEMOVAULfg
Vault URI                           : https://demovaulfg.vault.azure.net/
Tenant ID                           : 5d9d690a-0310-474d-ae8b-42df2d549228
SKU                                 : Standard
Enabled For Deployment?             : False
Enabled For Template Deployment?    : False
Enabled For Disk Encryption?        : True
Enabled For RBAC Authorization?     : False
Soft Delete Enabled?                : True
Enabled Purge Protection?           : 
Soft Delete Retention Period (days) : 90
Enabled Purge Protection?           : 
Access Policies                     : 
Network Rule Set                    : 
                                      Default Action                             : 
                                      Allow
                                      Bypass                                     : 
                                      AzureServices
                                      IP Rules                                   : 
                                      Virtual Network Rules                      : 
                                      
Tags                                : 

Creating Access Policy

We have already created the Azure Key Vault. Now the time to create the access policy. You can use the below PowerShell cmdlet.

Set-AzKeyVaultAccessPolicy -VaultName DEMOVAULfg -ObjectId 54481342-e592-47c2-ba89-b07dcadf9346 -PermissionsToKeys create,import,delete,list,get -PermissionsToSecrets set,delete -PassThru

In the above PowerShell cmdlet, replace the ObjectId with your currently logged in global admin account. Once we have executed the above script, you can able to see the output below.

how to encryption azure linux vm using powershell

The complete output is as below

Vault Name                          : DEMOVAULfg
Resource Group Name                 : DEMORG1
Location                            : East US
Resource ID                         : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c
                                      bd1/resourceGroups/DEMORG1/providers/Microsoft.K
                                      eyVault/vaults/DEMOVAULfg
Vault URI                           : https://demovaulfg.vault.azure.net/
Tenant ID                           : xxxxxxx-0xxx-xxxx-xxxx-42xxxx49228
SKU                                 : Standard
Enabled For Deployment?             : False
Enabled For Template Deployment?    : False
Enabled For Disk Encryption?        : True
Enabled For RBAC Authorization?     : False
Soft Delete Enabled?                : True
Enabled Purge Protection?           : 
Soft Delete Retention Period (days) : 90
Enabled Purge Protection?           : 
Access Policies                     : 
                                      Tenant ID                                  : 
                                      xxxxxxxxx-0xxx-xxxx-ae8b-4xxxxd549228
                                      Object ID                                  : 
                                      xxxxxxxx-e592-xxxx-ba89-xxxxcadf9xxx
                                      Application ID                             : 
                                      Display Name                               : 
                                      Bijay Kumar Sahoo (fewlines4biju_hotmail.com#EXT
                                      #@fewlines4bijuhotmail.onmicrosoft.com)
                                      Permissions to Keys                        : 
                                      create, import, delete, list, get
                                      Permissions to Secrets                     : 
                                      set, delete
                                      Permissions to Certificates                : 
                                      Permissions to (Key Vault Managed) Storage : 
                                      
                                      
Network Rule Set                    : 
                                      Default Action                             : 
                                      Allow
                                      Bypass                                     : 
                                      AzureServices
                                      IP Rules                                   : 
                                      Virtual Network Rules                      : 
                                      
Tags                                : 

Creating a new encryption key

Now, the next step is to create a new encryption key using the below PowerShell cmdlet.

Add-AzKeyVaultKey -VaultName DEMOVAULfg -Name "DEMOVMKey" -Destination "Software"

Once you will execute the above PowerShell cmdlet, you can able to see we got the expected output. One more thing to note down here is for the Destination as “Software” or “HSM”. But, for HSM, you need to pay extra cost. So based on your requirement you can choose.

azure disk encryption linux step by step

You can see the complete output as below

Vault/HSM Name : demovaulfg
Name           : DEMOVMKey
Version        : b35cc866d1334086aecbb189aa8c6dff
Id             : https://demovaulfg.vault.azure.net:443/keys/DEMOVMKey/b35cc866d133408
                 6aecbb189aa8c6dff
Enabled        : True
Expires        : 
Not Before     : 
Created        : 12/19/2020 3:42:55 PM
Updated        : 12/19/2020 3:42:55 PM
Recovery Level : Recoverable+Purgeable
Tags           : 

Creating the Virtual Machine

Well, let’s create a Linux Virtual machine where we will use the encryption feature. You can use the below PowerShell cmdlet to create the Azure Linux Virtual Machine.

To create the Virtual network, PublicIP, Subnet, you can check out How To Move Azure VM To A Different Resource Group PowerShell? now.

$loginDetails = Get-Credential

New-AzVm -ResourceGroupName DEMORG1 -Name "TSINFOVM08" -Location "eastus" -VirtualNetworkName "TsinfoNewVN" -SubnetName "myvmsubnet" -PublicIpAddressName "TSINFOVMIP" -OpenPorts 22 -Image Canonical:UbuntuServer:16.04-LTS:latest -Size Standard_D2s_v3 -Credential $loginDetails

Once, we have executed the above PowerShell script, you can able to see we got the expected output and the Linux Virtual Machine has been created successfully.

azure disk encryption linux powershell quickstart

The complete output is as below

ResourceGroupName        : DEMORG1
Id                       : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5cbd1/resourc
eGroups/DEMORG1/providers/Microsoft.Compute/virtualMachines/TSINFOVM08
VmId                     : 371d11c5-190c-4afb-9c0a-49db16303b95
Name                     : TSINFOVM08
Type                     : Microsoft.Compute/virtualMachines
Location                 : eastus
Tags                     : {}
HardwareProfile          : {VmSize}
NetworkProfile           : {NetworkInterfaces}
OSProfile                : {ComputerName, AdminUsername, LinuxConfiguration, Secrets, 
AllowExtensionOperations, RequireGuestProvisionSignal}
ProvisioningState        : Succeeded
StorageProfile           : {ImageReference, OsDisk, DataDisks}
FullyQualifiedDomainName : tsinfovm08-759e49.eastus.cloudapp.azure.com

Now, our Virtual machine is ready, let’s implement the Encryption feature for that virtual machine.

Encrypt Azure Linux VM

To encrypt the Azure Linux Virtual Machine, we need the Resource ID, URI, key ID of the Azure Key Vault. You can use the below PowerShell cmdlet to get the Resource ID, URI value of the Azure Key Vault.

Get-AzKeyVault -VaultName DEMOVAULfg -ResourceGroupName DEMORG1 | fl

Once we have executed the above PowerShell script, you can able to see we got the Resource ID, URI value of the Azure Key Vault

Encrypt Azure Linux VM

The complete output is as below

Vault Name                          : DEMOVAULfg
Resource Group Name                 : DEMORG1
Location                            : East US
Resource ID                         : /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c
                                      bd1/resourceGroups/DEMORG1/providers/Microsoft.K
                                      eyVault/vaults/DEMOVAULfg
Vault URI                           : https://demovaulfg.vault.azure.net/
Tenant ID                           : 5xxxxxxx-0310-xxxx-axxx-42df2d549228
SKU                                 : Standard
Enabled For Deployment?             : False
Enabled For Template Deployment?    : False
Enabled For Disk Encryption?        : True
Enabled For RBAC Authorization?     : False
Soft Delete Enabled?                : True
Enabled Purge Protection?           : 
Soft Delete Retention Period (days) : 90
Enabled Purge Protection?           : 
Access Policies                     : 
                                      Tenant ID                                  : 
                                      5xxxxxxx-0310-xxxx-axxx-42df2d549228
                                      Object ID                                  : 
                                      xxxxxxxx-e592-xxxx-xxxx-b07dxxxx9346
                                      Application ID                             : 
                                      Display Name                               : 
                                      Bijay Kumar Sahoo (fewlines4biju_hotmail.com#EXT
                                      #@fewlines4bijuhotmail.onmicrosoft.com)
                                      Permissions to Keys                        : 
                                      create, import, delete, list, get
                                      Permissions to Secrets                     : 
                                      set, delete
                                      Permissions to Certificates                : 
                                      Permissions to (Key Vault Managed) Storage : 
                                      
                                      
Network Rule Set                    : 
                                      Default Action                             : 
                                      Allow
                                      Bypass                                     : 
                                      AzureServices
                                      IP Rules                                   : 
                                      Virtual Network Rules                      : 
                                      
Tags                                : 

Now as the next step, we need to get the Key vault key ID using the below PowerShell cmdlet.

Get-AzKeyVaultKey -VaultName DEMOVAULfg -Name DEMOVMKey

Once we have executed the above PowerShell script, you can able to see that we got the expected output with out any issue.

azure managed disk encryption

Here is the complete output as below

Vault/HSM Name : demovaulfg
Name           : DEMOVMKey
Version        : b35cc866d1334086aecbb189aa8c6dff
Id             : https://demovaulfg.vault.azure.net:443/keys/DEMOVMKey/xxxxxxx33408
                 6aecbb189aa8c6dff
Enabled        : True
Expires        : 
Not Before     : 
Created        : 12/19/2020 3:42:55 PM
Updated        : 12/19/2020 3:42:55 PM
Recovery Level : Recoverable+Purgeable
Tags           : 

Now the time to encrypt the Azure Linux virtual machine using the below PowerShell cmdlet

Set-AzVMDiskEncryptionExtension -ResourceGroupName DEMORG1 -VMName "TSINFOVM08" -DiskEncryptionKeyVaultUrl https://demovaulfg.vault.azure.net/ -DiskEncryptionKeyVaultId /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c bd1/resourceGroups/DEMORG1/providers/Microsoft.KeyVault/vaults/DEMOVAULfg -KeyEncryptionKeyUrl https://demovaulfg.vault.azure.net:443/keys/DEMOVMKey/b35cc866d133408 -KeyEncryptionKeyVaultId /subscriptions/1cdf4300-dee5-4518-9c9c-feaa72a5c bd1/resourceGroups/DEMORG1/providers/Microsoft.KeyVault/vaults/DEMOVAULfg -VolumeType All –SkipVmBackup

Or, you can use the script as below

$RGName = "DEMORG1"
$VMName = "TSINFOVM08"
$VaultName= "DEMOVAULfg"
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = "All"
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType –SkipVmBackup

Now, once you have executed the above PowerShell script, click on the Yes button to confirm the Encryption on the below Popup.

azure disk encryption linux

Now, you can able to see below that the Encryption for the Azure Linux VM has been set successfully without any issue.

azure disk encryption linux lvm

The complete output is as below



RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
                         True         OK OK          

Now, to make sure that the Encryption for the Azure Linux VM has been done properly, Let’s Login to the Azure portal and navigate to the Azure Linux Virtual Machine and check if the Encryption is enabled. You can able to see the VM Disk status is Encryption Enabled.

enable azure disk encryption for linux iaas vms

How To Enable Disk Encryption in Azure Portal

Well, we have discussed above, Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell. Now, the time to discuss How To Enable Disk Encryption in Azure Portal. Follow the below steps to Enable Disk Encryption in Azure Portal.

Step-1: Login to the Azure Portal (https://portal.azure.com/)

Step-2: Search for the Virtual machines and click on the search result Virtual machines. Now, you can able to see the list of virtual machines you have created on the Virtual machines page. Click on the Virtual machine from the list of VMs, that you want to Encrypt.

How To Enable Disk Encryption in Azure Portal

Step-3: On the Virtual machine page, click on the “Disks” from the left navigation and then click on the “Additional settings” link from the right side as highlighted below.

How To Enable Disk Encryption Azure Portal

Step-4: On the Disk settings page, select the Disks to encrypt as “OS and data disks” and then select the key vault and key, click on the “Click to select a key” link as highlighted below.

How To Enable Disk Encryption using Azure Portal

Step-5: On the Select key from the Azure Key Vault page, Select the existing Key vault, Key, and version. If you don’t have an existing Key vault, Key, and version, then click on the Create new link to create a new Key Vault, Key, and version, and then click on the Select button from the bottom on the same page. Now, click on the Create new link for the Key vault.

Steps To Enable Disk Encryption using Azure Portal

Step-6: On the Create key vault page, provide the below options

  • Subscription: Select the correct subscription that you want to use here to create key vault.
  • Resource group: You can select either your existing resource group or you can click on the Create new link to create a new resource group if you don’t have any existing resource group.
  • Key Vault Name: Provide a unique name for the Azure Key Vault.
  • Region: Select the region for your Azure Key Vault.
  • Pricing tier: Select the Pricing tier as per your requirement.
  • Days to retain deleted vaults: Select the Days to retain deleted vaults based on your requirement.
  • Purge Protection: Select the Purge Protection option based on your requirement.

These are the changes you need to make on the Basics tab.

enable key vault for disk encryption

On the Create key vault page, click on the Access Policy tab, make sure to select the “Azure Disk Encryption for volume encryption” option as shown below, and then click on the Review + Create button.

Enable disk encryption in azure portal

Now, it will validate all the options provided by you and then will show you the Validation passed message. You can able to see the Create button now. Click on the Create button to create the Azure Key Vault.

Step-7: Now on the Select key from the Azure Key Vault page, It will populate the Key Vault that you have created just before. Leave the other option Empty and then click on the Select button from the bottom of the page.

azure policy disk encryption

Step-8: Now on the Disk settings page, click on the Save button from the bottom of the page. You can able to see Successfully updated disk encryption settings as shown below.

Set azure policy disk encryption

So, this How To Enable Disk Encryption in Azure Portal.

You may also like to follow the below articles

Wrapping Up

Well, in this article, we have discussed Step-by-Step Guide: How to Encrypt Azure Linux VM PowerShell, What is disk encryption in Azure?, How To Enable Disk Encryption in Azure Portal, etc. Hope you have enjoyed this article !!!