Azure Disk Encryption prerequisites

This article, Azure Disk Encryption Prerequisites, explains items that need to be in place before you can use Azure Disk Encryption. Azure Disk Encryption is integrated with Azure Key Vault to help manage encryption keys. You can use Azure PowerShell, Azure CLI, or the Azure portal to configure Azure Disk Encryption.

Before you enable Azure Disk Encryption on Azure IaaS VMs for the supported scenarios that were discussed in the Azure Disk Encryption Overview article, be sure to have the prerequisites in place.

Warning

  • If you have previously used Azure Disk Encryption with Azure AD app to encrypt this VM, you will have to continue use this option to encrypt your VM. You can’t use Azure Disk Encryption on this encrypted VM as this isn’t a supported scenario, meaning switching away from AAD application for this encrypted VM isn’t supported yet.
  • Certain recommendations might increase data, network, or compute resource usage, resulting in additional license or subscription costs. You must have a valid active Azure subscription to create resources in Azure in the supported regions.

Supported operating systems

Azure Disk Encryption is supported on the following operating systems:

  • Windows Server versions: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    • For Windows Server 2008 R2, you must have .NET Framework 4.5 installed before you enable encryption in Azure. Install it from Windows Update with the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems (KB2901983).
  • Windows client versions: Windows 8 client and Windows 10 client.
  • Azure Disk Encryption is only supported on specific Azure Gallery based Linux server distributions and versions. For the list of currently supported versions, refer to the Azure Disk Encryption FAQ.
  • Azure Disk Encryption requires that your key vault and VMs reside in the same Azure region and subscription. Configuring the resources in separate regions causes a failure in enabling the Azure Disk Encryption feature.

Additional prerequisites for Linux Iaas VMs

  • Azure Disk Encryption for Linux requires 7 GB of RAM on the VM to enable OS disk encryption on supported images. Once the OS disk encryption process is complete, the VM can be configured to run with less memory.
  • Before enabling encryption, the data disks to be encrypted need to be properly listed in /etc/fstab. Use a persistent block device name for this entry, as device names in the "/dev/sdX" format can't be relied upon to be associated with the same disk across reboots, particularly after encryption is applied. For more detail on this behavior, see: Troubleshoot Linux VM device name changes
  • Make sure the /etc/fstab settings are configured properly for mounting. To configure these settings, run the mount -a command or reboot the VM and trigger the remount that way. Once that is complete, check the output of the lsblk command to verify that the drive is still mounted.
    • If the /etc/fstab file doesn't mount the drive properly before enabling encryption, Azure Disk Encryption won't be able to mount it properly.
    • The Azure Disk Encryption process will move the mount information out of /etc/fstab and into its own configuration file as part of the encryption process. Don't be alarmed to see the entry missing from /etc/fstab after data drive encryption completes.
    • After reboot, it will take time for the Azure Disk Encryption process to mount the newly encrypted disks. They won't be immediately available after a reboot. The process needs time to start, unlock, and then mount the encrypted drives before being available for other processes to access. This process may take more than a minute after reboot depending on the system characteristics.

An example of commands that can be used to mount the data disks and create the necessary /etc/fstab entries can be found in lines 244-248 of this script file.

Networking and Group Policy

To enable the Azure Disk Encryption feature, the IaaS VMs must meet the following network endpoint configuration requirements:

  • To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure Active Directory endpoint, [login.microsoftonline.com].
  • To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint.
  • The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
  • If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. For more information, see Azure Key Vault behind a firewall.

Group Policy:

  • The Azure Disk Encryption solution uses the BitLocker external key protector for Windows IaaS VMs. For domain joined VMs, don't push any group policies that enforce TPM protectors. For information about the group policy for “Allow BitLocker without a compatible TPM,” see BitLocker Group Policy Reference.
  • Bitlocker policy on domain joined virtual machines with custom group policy must include the following setting: Configure user storage of bitlocker recovery information -> Allow 256-bit recovery key. Azure Disk Encryption will fail when custom group policy settings for Bitlocker are incompatible. On machines that didn't have the correct policy setting, apply the new policy, force the new policy to update (gpupdate.exe /force), and then restarting may be required.

Azure PowerShell

Azure PowerShell provides a set of cmdlets that uses the Azure Resource Manager model for managing your Azure resources. You can use it in your browser with Azure Cloud Shell, or you can install it on your local machine using the instructions below to use it in any PowerShell session. If you already have it installed locally, make sure you use the latest version of Azure PowerShell SDK version to configure Azure Disk Encryption. Download the latest version of Azure PowerShell release.

Install Azure PowerShell for use on your local machine (optional):

  1. Follow the instructions in the links for your operating system, then continue though the rest of the steps below.

  2. Verify the installed versions of the AzureRM module. If needed, update the Azure PowerShell module.

    • The AzureRM module version needs to be 6.0.0 or higher.
    • Using the latest AzureRM module version is recommended.

      Get-Module AzureRM -ListAvailable | Select-Object -Property Name,Version,Path
      
  3. Sign in to Azure using the Connect-AzureRmAccount cmdlet.

    Connect-AzureRmAccount
    # For specific instances of Azure, use the -Environment parameter.
    Connect-AzureRmAccount –Environment (Get-AzureRmEnvironment –Name AzureUSGovernment)
    
    <# If you have multiple subscriptions and want to specify a specific one, 
    get your subscription list with Get-AzureRmSubscription and 
    specify it with Set-AzureRmContext.  #>
    Get-AzureRmSubscription
    Set-AzureRmContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx"
    
  4. If needed, review Getting started with Azure PowerShell.

Install the Azure CLI for use on your local machine (optional)

The Azure CLI 2.0 is a command-line tool for managing Azure resources. The CLI is designed to flexibly query data, support long-running operations as non-blocking processes, and make scripting easy. You can use it in your browser with Azure Cloud Shell, or you can install it on your local machine and use it in any PowerShell session.

  1. Install Azure CLI for use on your local machine (optional):

  2. Verify the installed version.

    az --version
    
  3. Sign in to Azure using az login.

    az login
    
    # If you would like to select a tenant, use: 
    az login --tenant "<tenant>"
    
    # If you have multiple subscriptions, get your subscription list with az account list and specify with az account set.
    az account list
    az account set --subscription "<subscription name or ID>"
    
  4. Review Get started with Azure CLI 2.0 if needed.

Prerequisite workflow for Key Vault

If you're already familiar with the Key Vault and Azure AD prerequisites for Azure Disk Encryption, you can use the Azure Disk Encryption prerequisites PowerShell script. For more information on using the prerequisites script, see the Encrypt a VM Quickstart and the Azure Disk Encryption Appendix.

  1. If needed, create a resource group.
  2. Create a key vault.
  3. Set key vault advanced access policies.

Warning

Before deleting a key vault, ensure that you did not encrypt any existing VMs with it. To protect a vault from accidental deletion, enable soft delete and a resource lock on the vault.

Create a key vault

Azure Disk Encryption is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. You can create a key vault or use an existing one for Azure Disk Encryption. For more information about key vaults, see Get started with Azure Key Vault and Secure your key vault. You can use a Resource Manager template, Azure PowerShell, or the Azure CLI to create a key vault.

Warning

In order to make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.

Create a key vault with PowerShell

You can create a key vault with Azure PowerShell using the New-AzureRmKeyVault cmdlet. For additional cmdlets for Key Vault, see AzureRM.KeyVault.

  1. If needed, connect to your Azure subscription.
  2. Create a new resource group, if needed, with New-AzureRmResourceGroup. To list data center locations, use Get-AzureRmLocation.

    # Get-AzureRmLocation 
    New-AzureRmResourceGroup –Name 'MySecureRG' –Location 'East US'
    
  3. Create a new key vault using New-AzureRmKeyVault

    New-AzureRmKeyVault -VaultName 'MySecureVault' -ResourceGroupName 'MySecureRG' -Location 'East US'
    
  4. Note the Vault Name, Resource Group Name, Resource ID, Vault URI, and the Object ID that are returned for later use when you encrypt the disks.

Create a key vault with Azure CLI

You can manage your key vault with Azure CLI using the az keyvault commands. To create a key vault, use az keyvault create.

  1. If needed, connect to your Azure subscription.
  2. Create a new resource group, if needed, with az group create. To list locations, use az account list-locations

    # To list locations: az account list-locations --output table
    az group create -n "MySecureRG" -l "East US"
    
  3. Create a new key vault using az keyvault create.

    az keyvault create --name "MySecureVault" --resource-group "MySecureRG" --location "East US"
    
  4. Note the Vault Name (name), Resource Group Name, Resource ID (ID), Vault URI, and the Object ID that are returned for use later.

Create a key vault with a Resource Manager template

You can create a key vault by using the Resource Manager template.

  1. On the Azure quickstart template, click Deploy to Azure.
  2. Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then click Purchase.

Set key vault advanced access policies

The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. Enable disk encryption on the key vault or deployments will fail.

Set key vault advanced access policies with Azure PowerShell

Use the key vault PowerShell cmdlet Set-AzureRmKeyVaultAccessPolicy to enable disk encryption for the key vault.

  • Enable Key Vault for disk encryption: EnabledForDiskEncryption is required for Azure Disk encryption.

    Set-AzureRmKeyVaultAccessPolicy -VaultName 'MySecureVault' -ResourceGroupName 'MySecureRG' -EnabledForDiskEncryption
    
  • Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

     Set-AzureRmKeyVaultAccessPolicy -VaultName 'MySecureVault' -ResourceGroupName 'MySecureRG' -EnabledForDeployment
    
  • Enable Key Vault for template deployment, if needed: Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.

    Set-AzureRmKeyVaultAccessPolicy -VaultName 'MySecureVault' -ResourceGroupName 'MySecureRG' -EnabledForTemplateDeployment
    

Set key vault advanced access policies using the Azure CLI

Use az keyvault update to enable disk encryption for the key vault.

  • Enable Key Vault for disk encryption: Enabled-for-disk-encryption is required.

    az keyvault update --name "MySecureVault" --resource-group "MySecureRG" --enabled-for-disk-encryption "true"
    
  • Enable Key Vault for deployment, if needed: Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine.

    az keyvault update --name "MySecureVault" --resource-group "MySecureRG" --enabled-for-deployment "true"
    
  • Enable Key Vault for template deployment, if needed: Allow Resource Manager to retrieve secrets from the vault.

    az keyvault update --name "MySecureVault" --resource-group "MySecureRG" --enabled-for-template-deployment "true"
    

Set key vault advanced access policies through the Azure portal

  1. Select your keyvault, go to Access Policies, and Click to show advanced access policies.
  2. Select the box labeled Enable access to Azure Disk Encryption for volume encryption.
  3. Select Enable access to Azure Virtual Machines for deployment and/or Enable Access to Azure Resource Manager for template deployment, if needed.
  4. Click Save.

Azure key vault advanced access policies

Set up a key encryption key (optional)

If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the Add-AzureKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM. For more information, see Key Vault Documentation. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

Set up a key encryption key with Azure PowerShell

Before using the PowerShell script, you should be familiar with the Azure Disk Encryption prerequisites to understand the steps in the script. The sample script might need changes for your environment. This script creates all Azure Disk Encryption prerequisites and encrypts an existing IaaS VM, wrapping the disk encryption key by using a key encryption key.

# Step 1: Create a new resource group and key vault in the same location.
    # Fill in 'MyLocation', 'MySecureRG', and 'MySecureVault' with your values.
    # Use Get-AzureRmLocation to get available locations and use the DisplayName.
    # To use an existing resource group, comment out the line for New-AzureRmResourceGroup

    $Loc = 'MyLocation';
    $rgname = 'MySecureRG';
    $KeyVaultName = 'MySecureVault'; 
    New-AzureRmResourceGroup –Name $rgname –Location $Loc;
    New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname -Location $Loc;
    $KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;
    $KeyVaultResourceId = (Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname).ResourceId;
    $diskEncryptionKeyVaultUrl = (Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname).VaultUri;

#Step 2: Enable the vault for disk encryption.
    Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname -EnabledForDiskEncryption;

#Step 3: Create a new key in the key vault with the Add-AzureKeyVaultKey cmdlet.
    # Fill in 'MyKeyEncryptionKey' with your value.

    $keyEncryptionKeyName = 'MyKeyEncryptionKey';
    Add-AzureKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName -Destination 'Software';
    $keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $KeyVaultName -Name $keyEncryptionKeyName).Key.kid;

#Step 4: Encrypt the disks of an existing IaaS VM
    # Fill in 'MySecureVM' with your value. 

    $VMName = 'MySecureVM';
    Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;

Next steps