First, let's talk about why this article is focusing on Managed Disks in particular. Microsoft made Managed Disks generally available on February 8th, 2017. This awesome new feature removed a lot of the complexity and management overhead of dealing with Storage Accounts for VM disk storage. The drawback, as is often a complaint with Azure, is the official documentation has yet to really catch up. This can lead to hours of head scratching and frustration for Azure administrators trying to successfully encrypt and backup their virtual machines.

Microsoft provides PowerShell scripts to complete both the prerequisite setup and installation of the encryption VM extension. Rather than reinventing the wheel, I will simply walk you through the adjustments I made to the Microsoft provided scripts to get this working. To start, the original copy of Microsoft's scripts can be found here. There are several issues with Microsoft's scripts and my adjustments fix the following issues:

Enable KEK+BEK (required for proper Azure Backup functionality)

Add proper permissions to the Key Vault for Azure Backup service principal

Add switches to VM encryption extension to enable the use of KEK and properly encrypt Managed Disks

Prepare the Environment

First, we need an environment to perform the changes. I strongly recommend performing this in a test environment to ensure you are comfortable with all of the involved steps before moving on to production. I confer no warranty or responsibility for the result of any actions taken against any environment using the information contained in this article. Proceed at your own risk. I have created a simple environment which contains a Windows VM with OS and data Managed Disks and a Recovery Services vault (I have not yet configured the VM for backups, however).

Now that we have an environment deployed and ready to encrypt, we can proceed with deploying the prerequisites for Azure Disk Encryption. My version of the scripts can be downloaded here. I will outline the changes I made to each script for the sake of edification. The changes I made to the AzureDiskEncryptionPrerequisiteSetup.ps1 script are:

Set the $keyencryptionkeyname parameter to Mandatory = $true

Added a line to assign the proper permissions to the key vault for the Azure Backup service principal

Get-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupname -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3

Now, let's run the script:

Download my updated scripts here. run AzureDiskEncryptionPrerequisiteSetup.ps1. Answer the prompts within the script. When the script displays the output of the Azure AD Application details, be sure to save this data somewhere safe. I recommend putting it in your password or secret vault software of choice.

Encrypt the VM(s)

Now we can encrypt the VM by installing the Azure Disk Encryption VM Extension.

Open the AzureDiskEncryptionInstall.ps1 script. Change the values of each variable as they pertain to your environment as well as the information output from the prerequisite script ran previously. (the $keyvaultresourceid and $keyencryptionkeyvaultID values will be the same). Run the script. This operation may take 10-15 minutes to complete, and the VM will restart during the process.

The important parts of this script, which allow proper encryption and backup of Managed Disks specifically, are:

-KeyEncryptionKeyURL and -KeyEncryptionKeyVaultID switches (required to encrypt the VMs using KEK+BEK, the required mode to utilize Azure Backup)

and switches (required to encrypt the VMs using KEK+BEK, the required mode to utilize Azure Backup) -skipVMbackup switch (required to encrypt Managed Disks)

If the operation is successful we should see some positive feedback in PowerShell:

We can also verify that encryption has been enabled in the Azure Portal. Browse to the VM and then Disks submenu to view all disks at once:

Configure VM Backups

Now that we have verified our disks are encrypted, we can now configure the VM for backup protection using Azure Backup and kick off an immediate backup job to verify everything is in order.

Success!

We are now able to modernize our VM deployments by utilizing Managed Disks, while preserving our data protection strategies using Azure Disk Encryption and Azure Backup.







