AzureDiskEncryption via Bicep

This blog post is about using the AzureDiskEncryption VM Extension for Azure via Bicep. I struggled with this for a while. Furthermore, I couldn’t find much information about this topic. So, I decided to write a blog post about it.

The VM Extension is the same as, for example, the domain join VM Extension. I struggled with the parameters.

Why do you want to use bicep instead of Powershell for example? With bicep, it’s easier to deploy this in parallel if you deploy multiple VMs.

Prerequisites

These are the prerequisites for using the AzureDisEncryption extension:

– The bicep tools are installed and configured on your machine. Link
– Existing VM in your Azure subscription (for testing purposes, you can add it to a complete VM template later.) You can review the deployment of a Windows VM via Bicep in another post of mine.
– Azure Keyvault deployed and available for Azure template deployment. You can find the details here.

The VM Extension

This is the code for the VM Extension in Bicep.

Save this code as a .bicep file:

param vmName string = ''
param keyVaultName string = ''
param keyVaultResourceGroup string = ''
param keyEncryptionKeyURL string = ''
param location string = ''

var extensionName = 'AzureDiskEncryption'
var keyVaultResourceID = resourceId(keyVaultResourceGroup, 'Microsoft.KeyVault/vaults/', keyVaultName)

resource DiskEncryption 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = {
  name: '${vmName}/${extensionName}'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Security'
    type: 'AzureDiskEncryption'
    typeHandlerVersion: '2.2'
    autoUpgradeMinorVersion: true
    forceUpdateTag: '1.0'
    settings: {
      EncryptionOperation: 'EnableEncryption'
      KeyVaultURL: reference(keyVaultResourceID, '2019-09-01').vaultUri
      KeyVaultResourceId: keyVaultResourceID
      KeyEncryptionKeyURL: keyEncryptionKeyURL
      KekVaultResourceId: keyVaultResourceID
      KeyEncryptionAlgorithm: 'RSA-OAEP'
      VolumeType: 'All'
      ResizeOSDisk: false
    }
  }
}

Example Deployment

I will now show the example to deploy AzureDiskEncryption via Bicep.

Firstly, we need to log on to Azure via the command line. I use Azure CLI to do so. You can download en configure it via this link.

After that, you can log on to Azure using:

az login

Next, if you have multiple subscriptions, please select the appropriate subscription by using this command:

az account set --subscription <subscriptionid>

Now we can deploy the VM Extension on an existing VM and with an existing Key vault.

Use the following code to do so:

$vmName = "NielskokTech-TestVM"
$VMResourcegroup = "RG_WE_TestVM"
$keyVaultName = "NielsKokTech-Keyvault" 
$keyVaultResourceGroup = "RG_WE_KeyVaults" 
$keyEncryptionKeyURL = "https://nielskoktech-keyvault.vault.azure.net/keys/BitlockerKey/a96b711ca6a94e9eaf852222a902e342"
$location = "WestEurope"
$TemplateFile = "C:\Temp\DiskEncryptionExtension.bicep"

az deployment group create --resource-group $VMResourcegroup --template-file $TemplateFile --parameters vmName=$vmName keyVaultName=$keyVaultName keyVaultResourceGroup=$keyVaultResourceGroup keyEncryptionKeyURL=$keyEncryptionKeyURL location=$location

During the deployment, you can check the progress at this location:

AzureDiskEncryption via Bicep - Deployment
After that, you can see the AzureDiskEncryption enabled:

8 thoughts on “AzureDiskEncryption via Bicep”

  1. Hi Niels

    Love your blog and your work
    I have a question a have a devops pipeline that build AVD VMs using terraform
    Any idea how could i update my pipeline to it would enable ADE for all VMs that i have a future one that i will build ?

    Reply
    • Hi David,

      You should add a extension to your Terraform template that also enables disk encryption. That should be possible.

      Thanks,
      Niels

      Reply
  2. yes got it

    “KeyEncryptionKeyURL”: “https://${local.vaultname}.vault.azure.net/keys/${local.keyname}/${local.keyversion}”,

    What to add in ${local.keyversion}”

    Reply
  3. I did fix it however i get this error
    did you ever see it ?
    The fault reason was: ‘ 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED

    Reply
    • Hi David,

      It depends, you can use 1 key or more. But, for every VM a separate key is created in Key Vault.

      Do you have it running?

      Thanks,
      Niels

      Reply

Leave a Comment