Azure Disk Encryption-Part 1 (ARM Template)
Niraj Kumar
Field CTO | Principal Solutions Architect | Microsoft & Security Guru | Architect | Leader | Mentor | 11x AWS | 18x Azure | 4x M365 | Speaker | Opinions are personal and do not reflect employer's views
Greeting Readers!
Security is one of the most important aspect when it comes to moving your workloads in to Public cloud. Microsoft Azure provides many tools to secure your infrastructure including Encryption at rest. Today I'm going to talk about Azure Disk Encryption(ADE) the technologies which provides volume level encryption at rest. Azure Disk Encryption(ADE) makes use of Bit-Locker for Windows VM and DM-Crypt Linux VM machines. ADE works in conjunction with Azure Key vault and Azure AD. ADE can be enabled in various ways: a. From Azure portal, using ARM Template b. From Powershel c. From Azure Cli.
This is part 1 of article and will cover:
- How to enable ADE with ARM template.
- How to disable ADE.
In Part 2, I'll cover enabling ADE with help of Powershell.
I posted a video blog, which covers both the scenarios. Please watch it to see things in action.
Before you can enable ADE on VMs, let's understand some of the basic requirements.
- Basic Tier Vms are not supported for ADE and you will require to choose Standard Tier VMs.
- Azure Key Vault: ADE requires that your key vault and VMs reside in the same Azure region and subscription.
- ADE on Boot Volume must be turned on before ADE on Data Volume can be turned on.
- The storage account to store the encrypted OS VHD and VM(Compute) must be created in the same resource group and same location.
After you ensured that you met the basic requirements of ADE, please proceed to perform following steps to enable ADE on an existing running Windows VM with help of ARM Template.
- Have a Standard tier VM provisioned with a data disk attached to it.
- Register an Azure AD application through classic portal and populate: User friendly App name, Sign-on URL, App ID URI
- Next make a note of Client ID and Application Key(A new key to be generated). You'll need this when deploying ADE ARM template from GitHub.
- Next create an Azure Key Vault(AKV) to store Bitlocker keys.
- Assign following permissions on AKV to Application registered in Step 2.
a. Enable AKV to be used for disk encryption.
b. Key Permissions-> Under Cryptographic Operations, Wrap Key
c. Secret Permissions-> Under Secret Management Operations, SET
6. Finally, deploy the ADE ARM template from GitHub.
References:
20K Followers, Community Contributor, YouTuber and Microsoft Certified Trainer
7 年Amazing initiative and very practical waynitiative.
Cloud Consultant | M365 | Directory Services | Email Security | Free Lance | Sentinel | Cloud Security | VA | Azure | AWS | AZ-500 | MS-500 | SC-900 | SC-400 | SC-300 | SC-200 | AZ-400 | AZ-900 | AZ-700 | AZ-104 | MS-203
7 年Great..Newthing learned today
Gen AI | Cloud Solutions Architect, SVP at AlixPartners
7 年Thanks much Niraj. Definitely helpful.
Wharton Executive Education's Leadership Program in AI & Analytics
7 年Very interesting topic that relates to latest IT requirements . Also very informative . Keep posting ??
Lync / Skype for Business Server / Teams / Office 365 Specialist
7 年Found very informative. Simple to read and understandable ?? Much Appreciated this initiative