Introduction
Here is a small tutorial on encrypting a Microsoft Azure virtual machine disk.
Preparing the Azure Virtual Machine
Enable the Azure Key Vault provider within your Azure subscription.
$ az provider register -n Microsoft.KeyVault
Create a resource group in your favorite location (keep in mind different locations enable different features, some VM sizes are not available in other locations).
$ az group create\
--name testResourceGroup\
--location centralus
Create an Azure Key Vault and enable the Key Vault for use with disk encryption.
$ az keyvault create\
--name testKeyVault\
--resource-group testResourceGroup\
--location centralus\
--enabled-for-disk-encryption True
Create a cryptographic key in your Key Vault.
$ az keyvault key create\
--vault-name testKeyVault\
--name testKey\
--protection software
Create a service principal using Azure Active Directory, which handles the authentication and exchange of cryptographic keys from Key Vault.
$ az ad sp create-for-rbac
Set permissions on your Key Vault.
$ az keyvault set-policy\
--name testKeyVault --spn $sp_id\
--key-permissions wrapKey\
--secret-permissions set
Create a VM and attach a 10Gb data disk. Keep in mind that only certain marketplace images support disk encryption.
$ az vm create\
--resource-group testResourceGroup\
--name testVM\
--image UbuntuLTS\
--admin-username azureuser\
--generate-ssh-keys\
--data-disk-sizes-gb 10
SSH to your VM using the publicIpAddress shown in the output of the preceding command, create a partition and filesystem, then mount the data disk. Start encrypting your VM.
$ az vm encryption enable\
--resource-group testResourceGroup\
--name testVM\
--aad-client-id $sp_id\
--aad-client-secret $sp_password\
--disk-encryption-keyvault testKeyVault\
--key-encryption-key testKey\
--volume-type all
Encryption process will take some time to complete, you can monitor the status of the encryption; for now, it will show EncryptionInProgress:
$ az vm encryption show\
--resource-group testResourceGroup\
--name testVM
When the status for the OS disk reports VMRestartPending, restart your virtual machine.
$ az vm restart\
--resource-group testResourceGroup\
--name testVM
The disk encryption process is finalised during the boot process, so wait a few minutes before checking the status of encryption again. The status should report that both OS disk and data disk are Encrypted.
$ az vm encryption show\
--resource-group testResourceGroup\
--name testVM