April 22, 2016

Massive Azure VM Storage + Encryption

Many of you have now learned of my fondness for Azure Disk Encryption, seeing as how I blog about it pretty frequently. Someday soon I'm going to do some ADE using Linux but ... well, soon. You may also be aware that the service is now GA. Updated 5/24/16 ADE is GA worldwide now!

The other day, it came up in a DL that I follow about ADE and the limits that it has with regard to storage in the data disks. You are likely aware that in Azure, at the moment (teehee), you can only create a max 1TB file in storage. So, how do you store a file in Azure VHDs that's say, 6TB in size (like a DB) AND leverage ADE? Simple, and supported - Storage Spaces! Let's see how this process get's done.

First - you need a VM and some disks:
Bunch o Disks

In the real world, you'd want these to spread across multiple storage accounts within the same Resource Group, but for my purposes, I just stuck them into the same storage account:
Lots of Disks One Storage Account

This isn't an exhaustive article on how to configure Storage Spaces, for that, see elsewhere. For me, I had a VM with just a C and the Azure D:

No Disks

And a peak into Disk Management:

No Disks Part 2

First, let's get me a virtual disk so I can have a really large drive. Again, see the above TechNet link on how to do that, but once you are finished:

Big Disk

and from Disk Management:

Great, now let's sling some PowerShell and get some Azure Disk Encryption Going - you'll notice, it's the same process as this guy's excellent guide. In fact, just follow those instructions, there are literally no differences or changes to the procedure, even with this many disks!

When the VM reboots after setting things up, you get some good indication things are happening:


And some goodness from PowerShell:

Get-AzureRmVMDiskEncryptionStatus -ResourceGroupName 'Test' -VMName $vmName

OsVolumeEncrypted : True OsVolumeEncryptionSettings : { "diskEncryptionKey": { "secretUrl": "https://....vault.azure.net/secrets/....", "sourceVault": { "id": "/subscriptions/.../resourceGroups/Test/providers/Microsoft.KeyVault/vaults/..." } }, "keyEncryptionKey": null, "enabled": true } DataVolumesEncrypted: True

When I log in to my VM:

Encrypting Away
Note: if I really had 5TB of storage on my newly encrypted volume, it can take a while for that process to complete. The above pic is of the C drive getting its BitLocker on. Because my disk was empty, it didn't take long:
Pad Locks

And BitLocker's Status:

So, in summary - Azure Disk Encryption works great even when you need really really big disks.