Encrypt a Windows virtual machine with Azure PowerShell
This script creates a secure Azure Key Vault, encryption keys, Azure Active Directory service principal, and a Windows virtual machine (VM). The VM is then encrypted using the encryption key from Key Vault and service principal credentials.
If you don't have an Azure subscription, create a free account before you begin.
Sample script
# Edit these global variables with you unique Key Vault name, resource group name and location
#Name of the Key Vault
$keyVaultName = "myKeyVault00"
#Resource Group Name
$rgName = "myResourceGroup"
#Region
$location = "East US"
#Password to place w/in the KeyVault
$password = $([guid]::NewGuid()).Guid
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
#Name for the Azure AD Application
$appName = "My App"
#Name for the VM to be encrypt
$vmName = "myEncryptedVM"
#user name for the admin account in the vm being created and then encrypted
$vmAdminName = "encryptedUser"
# Register the Key Vault provider and create a resource group
New-AzResourceGroup -Location $location -Name $rgName
# Create a Key Vault and enable it for disk encryption
New-AzKeyVault `
-Location $location `
-ResourceGroupName $rgName `
-VaultName $keyVaultName `
-EnabledForDiskEncryption
# Create a key in your Key Vault
Add-AzKeyVaultKey `
-VaultName $keyVaultName `
-Name "myKey" `
-Destination "Software"
# Put the password in the Key Vault as a Key Vault Secret so we can use it later
# We should never put passwords in scripts.
Set-AzKeyVaultSecret -VaultName $keyVaultName -Name adminCreds -SecretValue $securePassword
Set-AzKeyVaultSecret -VaultName $keyVaultName -Name protectValue -SecretValue $securePassword
# Create Azure Active Directory app and service principal
$app = New-AzADApplication -DisplayName $appName `
-HomePage "https://myapp0.contoso.com" `
-IdentifierUris "https://contoso.com/myapp0" `
-Password (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name adminCreds).SecretValue
New-AzADServicePrincipal -ApplicationId $app.ApplicationId
# Set permissions to allow your AAD service principal to read keys from Key Vault
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultName `
-ServicePrincipalName $app.ApplicationId `
-PermissionsToKeys decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update `
-PermissionsToSecrets get,list,set,delete,backup,restore,recover,purge
# Create PSCredential object for VM
$cred = New-Object System.Management.Automation.PSCredential($vmAdminName, (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name adminCreds).SecretValue)
# Create a virtual machine
New-AzVM `
-ResourceGroupName $rgName `
-Name $vmName `
-Location $location `
-ImageName "Win2016Datacenter" `
-VirtualNetworkName "myVnet" `
-SubnetName "mySubnet" `
-SecurityGroupName "myNetworkSecurityGroup" `
-PublicIpAddressName "myPublicIp" `
-Credential $cred `
-OpenPorts 3389
# Define required information for our Key Vault and keys
$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name "myKey").Key.kid;
# Encrypt our virtual machine
Set-AzVMDiskEncryptionExtension `
-ResourceGroupName $rgName `
-VMName $vmName `
-AadClientID $app.ApplicationId `
-AadClientSecret (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name adminCreds).SecretValueText `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $keyVaultResourceId
# View encryption status
Get-AzVmDiskEncryptionStatus -ResourceGroupName $rgName -VMName $vmName
<#
#clean up
Remove-AzResourceGroup -Name $rgName
#removes all of the Azure AD Applications you created w/ the same name
Remove-AzADApplication -ObjectId $app.ObjectId -Force
#>
Clean up deployment
Run the following command to remove the resource group, VM, and all related resources.
Remove-AzResourceGroup -Name myResourceGroup
Script explanation
This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.
| Command | Notes |
|---|---|
| New-AzResourceGroup | Creates a resource group in which all resources are stored. |
| New-AzKeyVault | Creates an Azure Key Vault to store secure data such as encryption keys. |
| Add-AzKeyVaultKey | Creates an encryption key in Key Vault. |
| New-AzADServicePrincipal | Creates an Azure Active Directory service principal to securely authenticate and control access to encryption keys. |
| Set-AzKeyVaultAccessPolicy | Sets permissions on the Key Vault to grant the service principal access to encryption keys. |
| New-AzVM | Creates the virtual machine and connects it to the network card, virtual network, subnet, and network security group. This command also opens port 80 and sets the administrative credentials. |
| Get-AzKeyVault | Gets required information on the Key Vault |
| Set-AzVMDiskEncryptionExtension | Enables encryption on a VM using the service principal credentials and encryption key. |
| Get-AzVmDiskEncryptionStatus | Shows the status of the VM encryption process. |
| Remove-AzResourceGroup | Removes a resource group and all resources contained within. |
Next steps
For more information on the Azure PowerShell module, see Azure PowerShell documentation.
Additional virtual machine PowerShell script samples can be found in the Azure Windows VM documentation.