June 1, 2016

Azure Disk Encryption - Use Keys Instead of Certs?

I've been blogging a lot about ADE and KeyVault. What can I say, they are shiny and I love them. Lots of neat things the team is working on that I'm excited to talk about soon. Had a question the other day from a client about how to do Azure Disk Encryption and NOT using Certs. Of course, my initial reaction was, why would you do that? Apparently, there are lots of reasons, many of them deal with ease of use, but there are also orgs that don't have their own cert management tooling. Fair enough, you can in fact, use keys, and the script to encrypt your VMs is actually easier.

If you are new to this topic, I suggest reviewing the previous blogs, particularly this one where I go through encrypting an Azure VM with a certificate.

With permission from a colleague, Adam Hems, who wrote an excellent set of automation scripts (way better than the chicken scratch I come up with), I'm sharing his methodology here. You can find him on the nets @AspiringTexan and his GitHub repo. Here's the salient details.

  1. Assume you have a Resource Group and a VM (see the other blog entry for how to get started).
  2. Once you have the pre-reqs going, start in with some code:

$resourceGroupName= "Some Random Name" $VnetResourceGroupName = "CloudyDemo" $location = "East US" $vm1Name = "Name of My VM"

Do all the pre-requisite things like create the VM, removed here for brevity.

Create Azure AD Application & Principal to have access to the cert

$ADApplicationDisplayName = $randomName + "-Application" $ADApplicationHomePage = "http://" + $randomName $now = [System.DateTime]::Now; $oneYearFromNow = $now.AddYears(1); $aadClientSecret = [Guid]::NewGuid(); $ADApplication = New-AzureRMADApplication -DisplayName $ADApplicationDisplayName -homepage $ADApplicationHomePage -IdentifierUris $ADApplicationHomePage -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret $aadClientID = $ADApplication.applicationid $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $aadClientID; $SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $ADApplicationDisplayName);

Create a KeyVault and grant permissions to the AAD service principal to access the KeyVault and enable the KeyVault to be used for Encryption.

$KeyVaultName = $randomName + "-Vault" $KeyVault =new-azurermkeyvault -vaultname $KeyVaultName -location $location -Sku standard -EnabledForDiskEncryption -ResourceGroupName $resourceGroupName -Tag $myTags set-azurermkeyvaultaccesspolicy -vaultname $KeyVaultName -resourcegroup $resourceGroupName -serviceprincipalname $aadClientID -PermissionsToSecrets all -PermissionsToKeys all set-azurermkeyvaultaccesspolicy -vaultname $KeyVaultName -resourcegroup $resourceGroupName -enabledfordiskencryption $DiskEncryptionVaultUrl = $KeyVault.vaulturi $KeyVaultResourceId = $KeyVault.resourceid

Set up Key Encryption of Keys

$KeyEncryptionKeyName = 'KeyEncryptionKey' $kek = add-azurekeyvaultkey -vaultname $KeyVaultName -name $KeyEncryptionKeyName -destination 'software' $KeyEncryptionKeyUrl = $kek.key.kid

Kick of Encryption of the VM's. Requires a reboot - takes 15 mins or so per VM.

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vm1Name -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -Force -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId