Azure IaaS Lab – Security Center – Disk Encryption – Part 1

This post is part of a series, for the series contents see:

For the code listed in this post please see:

Continuing to play with Security Center I thought I’d follow up on its recommendation and setup some disk encryption:

Security Center Recommendations

To make things nice and easy, good old MS have set it up so that if you click on a recommendation it’ll point you to the necessary steps to implement it:

Encryption Recommended Steps.PNG

If you go to the recommended link then setting up encryption is essentially a 3 step process:

  1. Setup an Azure AD App for key management using the key vault I setup in an earlier post.
  2. Download Microsoft’s script from GitHub, run it, and enter the relevant details when prompted.
  3. Finally, run a PowerShell one-liner to enable disk encryption on a VM.

For my first run at it I decided to give it a go on the “mgmt-vm” that sits in my hub resource group.

Step 1 – Setup an Azure AD App

I wasn’t really sure why this step was needed but this Microsoft article does a pretty good job of explaining it.

If my understanding is correct, it boils down to this:

  • Applications that use key vault must authenticate using a token from AAD.
  • In my case the encryption service is the application and it needs the AAD app so that it can get a token which it will then use to store keys in my Azure Key Vault (“lab-vault” that I created in an earlier post).

I created the app in the GUI (using the old portal!) following Microsoft’s steps as below:

  1. Login to  to the classic portal:
  2. Go to Azure AD:
    Encryption AAD App
  3. Go to your directory and then click “Applications” from the top menu:
    Encryption AAD App Screen
  4. To create a new Application click “Add” at the bottom of the screen to kick off the wizard:
    Encryption AAD App Add
  5. The wizard will prompt you to choose the type of app to create, go for the top option “Add an application my organisation is developing”:
    Encryption AAD App Organisation App
  6. On the next screen select “web application” and give the app a name.  I went for “encryption-aad-app”:
    Encryption AAD App Type
  7. On the final screen you’ll be prompted to add a couple of URLs for sign-in and an app ID.  The Microsoft doc seems to suggest that these don’t really matter and you can go with anything, which begs the question”why bother asking then?”.  Anyway, I stuck in any old thing to keep me on track (you need to include the protocol too, so it won’t let you proceed unless you enter in “http://”):
    Encryption AAD App URLs
  8. The final step is to create the key that our encryption service will use.  Click on the app name choose “Configure” from the top menu:
    Encryption AAD App Properties
  9. Scroll down to the “Keys” section and create a new key by simply choosing a duration from the drop down (I chose 2 years) and then clicking “Save” at the bottom of the screen:
    Encryption AAD App Key
  10. When you click “Save” the value of the key will be displayed so make a note of it.  It is needed later in the process and once you navigate away from the screen there is no way to get it again.  If you do forget then you’ll simply have to delete the forgotten one and create a new one.

And that’s it, that’s our app created in preparation for setting up encryption.  Nice and simple really.

The PowerShell Way

Whilst the GUI method is nice I thought it would be nicer if the whole thing could be done in PowerShell so I did a little search and came across a nice blog post that gives the steps, it’s a simple one-liner:

New-AzureRmADApplication `
 -DisplayName "test-aad-app" `
 -HomePage "" `
 -IdentifierUris "" `
 -ReplyUrls "" `
 -Password "Password123"

The key to deciphering it is that:

  • -HomePage
    Is what the GUI refers to as “Sign-on URL”
  • -IdentifierUris
    Is what the GUI refers to as “App ID URI”
  • -ReplyURLs
    This is auto-populated by the GUI wizard and appears to be the same as the “Sign-on URL”
  • -Password:
    This is the “Key” from the GUI.  Whereas the GUI auto-populates this, in PowerShell you can specify your own key value.  The default duration for the key is 1 year but you can change this using the “-EndDate” parameter.

You’ll note the “rm” in the cmdlet “New-AzureRmADApplication” which means that the PowerShell method is creating the app in Resource Manager mode.  In practicality this means that if you login to the app won’t be visible there, but if you login to the new portal ( it’ll be sitting there waiting for you:

Encryption AAD App Resource Manager

Step 2 – The Microsoft Script

Now we’re onto the easy bit because Microsoft has done the work for us.

  1. Head over to the Microsoft Git Hub repository, click raw and take a copy of the script.  I’ve saved a local copy in my repository as “encryption_ms_script.ps1
  2. Next up, simply open it in PowerShell ISE and run it my clicking the play button or pressing F5.  The script will prompt you for everything that it needs so just follow along as detailed below:
  3. A:
    You’ll be prompted to login.  A thing to note here is that in my case, as I’m using an MSDN subscription, I didn’t bother amending the $subscriptionId variable in the Microsoft script.  Default is fine for me but might not be for you if you have multiple subscriptions.
  4. B:
    Next, you’ll be prompted for the name of the resource group that the keyvault is in.  In my case that is:hub-rg
  5. C:
    You then need to give the name of your key vault:lab-vault
  6. D:
    Then, location.  All my stuff for this lab is in:North Europe
  7. E:
    Next up is the name of the AAD App that I created above:encryption-aad-appAt this point you’ll be asked to login again.
  8. F:
    Once you’ve logged in you’ll be asked to enter the key value from when the Azure AD app was created during step one.  If you didn’t note it down, just login to the Azure portal and create a new one.
  9. Add that’s it, the script will complete and display values for aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, and keyVaultResourceId.The Microsoft instructions tell you to copy these and keep them safe but I forgot. I’ve yet to see if that’s going to bite me in the arse so watch this space 🙂

Step 3 – Encrypt a VM’s Disks

Finally, with PowerShell ISE still open from step 2 run the following to encrypt the mgmt-vm:

$vmName = "mgmt-vm"
Set-AzureRmVMDiskEncryptionExtension `
 -ResourceGroupName $resourceGroupName `
 -VMName $vmName `
 -AadClientID $aadClientID `
 -AadClientSecret $aadClientSecret `
 -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
 -DiskEncryptionKeyVaultId $keyVaultResourceId

The code above will only work if you’re still in the same PowerShell ISE session used for step 2.  Otherwise the variables being passed in the parameters won’t be populated and it will fail.

Another thing to note is that because this makes use of VM extensions the VM needs to be powered on to encrypt it.  You can’t encrypt it offline.

Thank you Sir, may I have another…

Security Center is keen to remind me that other VMs are also in dire need of some encryption:

Security Center Encryption Recommendation

So this is a perfect opportunity to test:

  1. What happens if, like me, you forgot to note down the output from the Microsoft script?  Can I just run it again?
    • The simple answer is “Yes”.  Well it worked for me anyway, the only thing I had to do was create a new key/secret in my encryption-aad-app as I didn’t make a note of the old one.
  2. What happens when you try to encrypt a Linux VM?
    • I ran it against my firewall-vm and it seems to have worked a treat.  One thing I noticed was that when running the final “Set-AzureRmVMDiskEncryptionExtension” cmdlet, the resource group parameter must be the resource group that the VM resides in.  Up above the key vault and mgmt-vm were both in the hub-rg so that value worked for both but that’s not the case with the firewall-vm.
    • Edit (16/04.2017):  Actually the answer was “It didn’t work”.  See the next post for details.

The final bit of code (after running the MS script) to encrypt my firewall VM was:

$vmName = "firewall-vm"
$resourceGroupName = "security-rg"
Set-AzureRmVMDiskEncryptionExtension `
-ResourceGroupName $resourceGroupName `
 -VMName $vmName `
 -AadClientID $aadClientID `
 -AadClientSecret $aadClientSecret `
 -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
 -DiskEncryptionKeyVaultId $keyVaultResourceId

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: