Set up full disk encryption for a Linux VM with PowerShell in Azure!

%3CLINGO-SUB%20id%3D%22lingo-sub-1887027%22%20slang%3D%22en-US%22%3ESet%20up%20full%20disk%20encryption%20for%20a%20Linux%20VM%20with%20PowerShell%20in%20Azure!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1887027%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Azure%20friends%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20the%20PowerShell%20ISE%20for%20this%20configuration.%20But%20you%20are%20also%20very%20welcome%20to%20use%20Visual%20Studio%20Code%2C%20just%20as%20you%20wish.%26nbsp%3BPlease%20start%20with%20the%20following%20steps%20to%20begin%20the%20deployment%20(the%20Hashtags%20are%20comments)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23The%20first%20two%20lines%20have%20nothing%20to%20do%20with%20the%20configuration%2C%20but%20make%20some%20space%20below%20in%20the%20blue%20part%20of%20the%20ISE%3C%2FP%3E%3CP%3E%3CSTRONG%3ESet-Location%20C%3A%5CTemp%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EClear-Host%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23So%20that%20you%20can%20carry%20out%20the%20configuration%2C%20you%20need%20the%20necessary%20cmdlets%2C%20these%20are%20contained%20in%20the%20module%20Az%20(is%20the%20higher-level%20module%20from%20a%20number%20of%20submodules)%3C%2FP%3E%3CP%3E%3CSTRONG%3EInstall-Module%20-Name%20Az%20-Force%20-AllowClobber%20-Verbose%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Log%20into%20Azure%3CBR%20%2F%3E%3CSTRONG%3EConnect-AzAccount%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23Select%20the%20correct%20subscription%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EGet-AzContext%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EGet-AzSubscription%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EGet-AzSubscription%20-SubscriptionName%20%22your%20subscription%20name%22%20%7C%20Select-AzSubscription%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%23Prefix%26nbsp%3Bfor%26nbsp%3Bresources%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%24prefix%26nbsp%3B%3D%26nbsp%3B%22tw%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23Some%26nbsp%3Bvariables%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%24Location%26nbsp%3B%3D%26nbsp%3B%22westeurope%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%24id%26nbsp%3B%3D%26nbsp%3BGet-Random%26nbsp%3B-Minimum%26nbsp%3B1000%26nbsp%3B-Maximum%26nbsp%3B9999%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%23Create%26nbsp%3Ba%26nbsp%3Bresource%26nbsp%3Bgroup%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ENew-AzResourceGroup%26nbsp%3B-Name%26nbsp%3B%22myResourceGroup%22%26nbsp%3B-Location%26nbsp%3B%24Location%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23Create%26nbsp%3Ba%26nbsp%3Bvirtual%26nbsp%3Bmachine%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%24cred%26nbsp%3B%3D%26nbsp%3BGet-Credential%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ENew-AzVM%26nbsp%3B-Name%26nbsp%3BMyVm%26nbsp%3B-Credential%26nbsp%3B%24cred%26nbsp%3B-ResourceGroupName%26nbsp%3BMyResourceGroup%26nbsp%3B-Image%26nbsp%3BCanonical%3AUbuntuServer%3A18.04-LTS%3Alatest%26nbsp%3B-Size%26nbsp%3BStandard_D2S_V3%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23Create%26nbsp%3Ba%26nbsp%3BKey%26nbsp%3BVault%26nbsp%3Bconfigured%26nbsp%3Bfor%26nbsp%3Bencryption%26nbsp%3Bkeys%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%24keyVaultParameters%26nbsp%3B%3D%26nbsp%3B%40%7B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BName%26nbsp%3B%3D%26nbsp%3B%22%24prefix-key-vault-%24id%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BResourceGroupName%26nbsp%3B%3D%26nbsp%3B%22MyResourceGroup%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BLocation%26nbsp%3B%3D%26nbsp%3B%24location%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BEnabledForDiskEncryption%26nbsp%3B%3D%26nbsp%3B%24true%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BEnabledForDeployment%26nbsp%3B%3D%26nbsp%3B%24true%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSku%26nbsp%3B%3D%26nbsp%3B%22Standard%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%7D%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSTRONG%3E%24keyVault%26nbsp%3B%3D%26nbsp%3BNew-AzKeyVault%26nbsp%3B%40keyVaultParameters%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23Encrypt%26nbsp%3Bthe%26nbsp%3Bvirtual%26nbsp%3Bmachine%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%24KeyVault%26nbsp%3B%3D%26nbsp%3BGet-AzKeyVault%26nbsp%3B-VaultName%26nbsp%3B%22%24prefix-key-vault-%24id%22%26nbsp%3B-ResourceGroupName%26nbsp%3B%22MyResourceGroup%22%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSTRONG%3ESet-AzVMDiskEncryptionExtension%26nbsp%3B-ResourceGroupName%26nbsp%3BMyResourceGroup%26nbsp%3B-VMName%26nbsp%3B%22MyVM%22%26nbsp%3B-DiskEncryptionKeyVaultUrl%26nbsp%3B%24KeyVault.VaultUri%26nbsp%3B-DiskEncryptionKeyVaultId%26nbsp%3B%24KeyVault.ResourceId%26nbsp%3B-SkipVmBackup%26nbsp%3B-VolumeType%26nbsp%3BAll%3C%2FSTRONG%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%23You%26nbsp%3Bcan%26nbsp%3Bverify%26nbsp%3Bthe%26nbsp%3Bencryption%26nbsp%3Bprocess%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3EGet-AzVmDiskEncryptionStatus%26nbsp%3B-VMName%26nbsp%3BMyVM%26nbsp%3B-ResourceGroupName%26nbsp%3BMyResourceGroup%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ENow%20you%20have%20used%20the%20PowerShell%20to%20create%20a%20Linux%20VM%20with%20full%20disk%20encryption!%20Congratulations!%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%23Clean%26nbsp%3Bup%20(when%20you%20no%20longer%20need%20the%20resources)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3ERemove-AzResourceGroup%26nbsp%3B-Name%26nbsp%3B%22myResourceGroup%22%26nbsp%3B-Force%3C%2FSTRONG%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CP%3EI%20hope%20this%20article%20was%20useful.%20Best%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%26nbsp%3BAll%20scripts%20(%23PowerShell%2C%20Azure%20CLI%2C%20%23Terraform%2C%20%23ARM)%20that%20I%20use%20can%20be%20found%20on%20github!%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%3C%2FA%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1887027%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EVirtual%20Machine%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

 

Hi Azure friends,

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

 

#So that you can carry out the configuration, you need the necessary cmdlets, these are contained in the module Az (is the higher-level module from a number of submodules)

Install-Module -Name Az -Force -AllowClobber -Verbose

 

#Log into Azure
Connect-AzAccount

 

#Select the correct subscription

Get-AzContext

Get-AzSubscription

Get-AzSubscription -SubscriptionName "your subscription name" | Select-AzSubscription

 

#Prefix for resources
$prefix = "tw"

#Some variables
$Location = "westeurope"
$id = Get-Random -Minimum 1000 -Maximum 9999
 
#Create a resource group
New-AzResourceGroup -Name "myResourceGroup" -Location $Location

#Create a virtual machine
$cred = Get-Credential
 
New-AzVM -Name MyVm -Credential $cred -ResourceGroupName MyResourceGroup -Image Canonical:UbuntuServer:18.04-LTS:latest -Size Standard_D2S_V3

#Create a Key Vault configured for encryption keys
$keyVaultParameters = @{
    Name = "$prefix-key-vault-$id"
    ResourceGroupName = "MyResourceGroup"
    Location = $location
    EnabledForDiskEncryption = $true
    EnabledForDeployment = $true
    Sku = "Standard"
}

$keyVault = New-AzKeyVault @keyVaultParameters

#Encrypt the virtual machine
$KeyVault = Get-AzKeyVault -VaultName "$prefix-key-vault-$id" -ResourceGroupName "MyResourceGroup"

Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -SkipVmBackup -VolumeType All

#You can verify the encryption process
Get-AzVmDiskEncryptionStatus -VMName MyVM -ResourceGroupName MyResourceGroup
 
Now you have used the PowerShell to create a Linux VM with full disk encryption! Congratulations!
 
#Clean up (when you no longer need the resources)
Remove-AzResourceGroup -Name "myResourceGroup" -Force
 

I hope this article was useful. Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

0 Replies