Regarding how to encrypt Azure VM disk, please refer to the following steps
az login
az keyvault create --name 'testdisk' --resource-group 'testvm1' --location 'centralus' --enabled-for-disk-encryption true --enabled-for-deployment true --enabled-for-template-deployment true
az keyvault key create --name diskery --vault-name testdisk --kty RSA
- Code
import uuid
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.compute.models import VirtualMachineExtension
from msrestazure.tools import parse_resource_id
AZURE_TENANT_ID= ''
AZURE_CLIENT_ID=''
AZURE_CLIENT_SECRET=''
AZURE_SUBSCRIPTION_ID=''
credentials = ServicePrincipalCredentials(client_id=AZURE_CLIENT_ID,secret=AZURE_CLIENT_SECRET,tenant=AZURE_TENANT_ID)
compute_client = ComputeManagementClient(credentials, AZURE_SUBSCRIPTION_ID)
resource_group_name='testvm1'
vm_name='test03'
vm =compute_client.virtual_machines.get(resource_group_name,vm_name)
parts = parse_resource_id(vm.id)
KeyVaultResourceId='/subscriptions/<your subscription id>/resourceGroups/<group name>/providers/Microsoft.KeyVault/vaults/<your key vault name>'
KeyEncryptionKeyURL='https://<your key vault name>.vault.azure.net/keys/<name>/<version>'
KeyVaultURL='https://<your key vault name>.vault.azure.net/'
# we are ready to provision/update the disk encryption extensions
os_type = vm.storage_profile.os_disk.os_type.value
sequence_version = uuid.uuid4()
public_settings={"EncryptionOperation": 'EnableEncryption',
"KeyVaultURL": KeyVaultURL,
"KeyVaultResourceId": KeyVaultResourceId,
"KeyEncryptionKeyURL": KeyEncryptionKeyURL,
"KekVaultResourceId": KeyVaultResourceId,
"KeyEncryptionAlgorithm": 'RSA-OAEP',
"VolumeType": 'ALL',
'SequenceVersion': sequence_version,
}
if(os_type.lower() =='windows') :
ext= VirtualMachineExtension(
location=vm.location,
publisher='Microsoft.Azure.Security',
virtual_machine_extension_type='AzureDiskEncryption',
type_handler_version='2.2',
auto_upgrade_minor_version=True,
settings=public_settings,
protected_settings=None
)
poller =compute_client.virtual_machine_extensions.create_or_update(parts['resource_group'],parts['name'],'test',ext)
else :
ext= VirtualMachineExtension(
location=vm.location,
publisher='Microsoft.Azure.Security',
virtual_machine_extension_type='AzureDiskEncryptionForLinux',
type_handler_version='1.1',
auto_upgrade_minor_version=True,
settings=public_settings,
protected_settings=None
)
poller =compute_client.virtual_machine_extensions.create_or_update(parts['resource_group'],parts['name'],'test',ext)
# verify the extension was ok
extension_result = compute_client.virtual_machine_extensions.get(
parts['resource_group'],parts['name'],'test', 'instanceView')
if extension_result.provisioning_state != 'Succeeded':
print('Extension needed for disk encryption was not provisioned correctly')
print("success")
For more details, please refer to
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/azure-disk-enc-windows
https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
