Azure IaaS Lab – Security Center – Disk Encryption – Part 2

This post is part of a series, for the series contents see:
https://irankon.wordpress.com/post-lists/azure-iaas-lab-project/

For the code listed in this post please see:
https://github.com/irankon/azure-iaas-lab/blob/master/encryption_ms_script.ps1
https://github.com/irankon/azure-iaas-lab/blob/master/encryption_setup.ps1

In my last post I encrypted my Windows “mgmt-vm” successfully and thought I’d then done the same with my Linux “firewall-vm”. Well it turns out that was a bit of an alternative fact.

The PowerShell ran successfully to encrypt the firewall-vm, so I thought it had done the job, but when I checked back later I was presented with this:

Encryption Linux Outcome Digging a bit deeper and looking at the VM extension logs I came up with this:

Encryption Linux Extension Logs

So why did that happen?

Well it turns out that the Set-AzureRmVMDiskEncryption cmdlet only supports encrypting Linux data disks, OS disks aren’t supported.  For Windows VMs there is no such restriction.  For more details see this Microsoft document and search for the section on the -VolumeType switch.

Working Example – Finding a Target VM:

It would be good to have a working example of a Linux VM with disk encryption and whilst my firewall-vm doesn’t have a data disk, my web-vm does so it’s the obvious choice of test subject.

However, talking about the web-vm reminded me that it was conspicuously missing from the list of VMs in my Security Center alert about disk encryption:

Encryption VM List There’s a reason for its absence that has also been highlighted by Security Center:

web-vm doesn’t have the VM agent enabled that is needed by Security Center.

Encryption VM Agent

Note that the same alert for the firewall-vm is resolved, hence Security Center is able to give other recommendations, such as disk encryption, for that one.

Working Example – Enable the VM Agent on Linux

Enabling the agent was nothing more than a yum install and then a command to enable the agent:

sudo yum install python-pyasn1 WALinuxAgent
sudo systemctl enable waagent

I got the steps from this article, and confirmed the results in the portal by checking web-vm’s extensions:

Encryption VM Extensions

In Security Center itself, the VM agent issue also then showed as resolved:

Encryption VM Agent Resolved

Working Example – Encrypt a Linux Data Disk

With my VM agent installed, next up I needed to run the PowerShell command to encrypt the data volume on web-vm.  To run the code I needed to dig out the output of the Microsoft encryption script from my last post.


#Setup my variables
#Most of the values came from
#the output of the Microsoft Encryption script

$vmName = "web-vm"
$resourceGroupName = "dmz-rg"
$aadClientID = "<your_client_id>"
$aadClientSecret = "<your_key>"
$diskEncryptionKeyVaultUrl = "https://lab-vault.vault.azure.net/"
$keyVaultResourceId = "<your_vault_resource_id>"

#Now use those variables to encrypt web-vm's data disk
Set-AzureRmVMDiskEncryptionExtension `
-ResourceGroupName $resourceGroupName `
-VMName $vmName `
-VolumeType Data `
-AadClientID $aadClientID `
-AadClientSecret $aadClientSecret `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId

I’ve removed most of my details from the code above so just plug in whatever your own values were from the Microsoft encryption script.

The key switch is the one that instructs the cmdlet to focus purely on the data disk as that’s all we can do with Linux:

-VolumeType Data

This time I stopped and checked the status, before I got ahead of myself, and the result was success:

Encryption VM Outcome

So that’s that!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: