This blog post is about using the AzureDiskEncryption VM Extension for Azure via Bicep. I struggled with this for a while. Furthermore, I couldn’t find much information about this topic. So, I decided to write a blog post about it.
The VM Extension is the same as, for example, the domain join VM Extension. I struggled with the parameters.
Why do you want to use bicep instead of Powershell for example? With bicep, it’s easier to deploy this in parallel if you deploy multiple VMs.
Prerequisites
These are the prerequisites for using the AzureDisEncryption extension:
– The bicep tools are installed and configured on your machine. Link
– Existing VM in your Azure subscription (for testing purposes, you can add it to a complete VM template later.) You can review the deployment of a Windows VM via Bicep in another post of mine.
– Azure Keyvault deployed and available for Azure template deployment. You can find the details here.
The VM Extension
This is the code for the VM Extension in Bicep.
Save this code as a .bicep file:
param vmName string = '' param keyVaultName string = '' param keyVaultResourceGroup string = '' param keyEncryptionKeyURL string = '' param location string = '' var extensionName = 'AzureDiskEncryption' var keyVaultResourceID = resourceId(keyVaultResourceGroup, 'Microsoft.KeyVault/vaults/', keyVaultName) resource DiskEncryption 'Microsoft.Compute/virtualMachines/extensions@2020-06-01' = { name: '${vmName}/${extensionName}' location: location properties: { publisher: 'Microsoft.Azure.Security' type: 'AzureDiskEncryption' typeHandlerVersion: '2.2' autoUpgradeMinorVersion: true forceUpdateTag: '1.0' settings: { EncryptionOperation: 'EnableEncryption' KeyVaultURL: reference(keyVaultResourceID, '2019-09-01').vaultUri KeyVaultResourceId: keyVaultResourceID KeyEncryptionKeyURL: keyEncryptionKeyURL KekVaultResourceId: keyVaultResourceID KeyEncryptionAlgorithm: 'RSA-OAEP' VolumeType: 'All' ResizeOSDisk: false } } }
Example Deployment
I will now show the example to deploy AzureDiskEncryption via Bicep.
Firstly, we need to log on to Azure via the command line. I use Azure CLI to do so. You can download en configure it via this link.
After that, you can log on to Azure using:
az login
Next, if you have multiple subscriptions, please select the appropriate subscription by using this command:
az account set --subscription <subscriptionid>
Now we can deploy the VM Extension on an existing VM and with an existing Key vault.
Use the following code to do so:
$vmName = "NielskokTech-TestVM" $VMResourcegroup = "RG_WE_TestVM" $keyVaultName = "NielsKokTech-Keyvault" $keyVaultResourceGroup = "RG_WE_KeyVaults" $keyEncryptionKeyURL = "https://nielskoktech-keyvault.vault.azure.net/keys/BitlockerKey/a96b711ca6a94e9eaf852222a902e342" $location = "WestEurope" $TemplateFile = "C:\Temp\DiskEncryptionExtension.bicep" az deployment group create --resource-group $VMResourcegroup --template-file $TemplateFile --parameters vmName=$vmName keyVaultName=$keyVaultName keyVaultResourceGroup=$keyVaultResourceGroup keyEncryptionKeyURL=$keyEncryptionKeyURL location=$location
During the deployment, you can check the progress at this location:
This works so thanks for the help!
Hi Niels
Love your blog and your work
I have a question a have a devops pipeline that build AVD VMs using terraform
Any idea how could i update my pipeline to it would enable ADE for all VMs that i have a future one that i will build ?
Hi David,
You should add a extension to your Terraform template that also enables disk encryption. That should be possible.
Thanks,
Niels
yes got it
“KeyEncryptionKeyURL”: “https://${local.vaultname}.vault.azure.net/keys/${local.keyname}/${local.keyversion}”,
What to add in ${local.keyversion}”
Hi David,
Thanks for the message. I didnt get the error. Did that fix it for you or is it still going on?
Thanks,
Niels
I did fix it however i get this error
did you ever see it ?
The fault reason was: ‘ 0xc142506f RUNTIME_E_KEYVAULT_SECRET_WRAP_WITH_KEK_FAILED
Got it whose a permission issue,
I more question do you have 1 key for all DES’s?
1 DES =1VM?
Hi David,
It depends, you can use 1 key or more. But, for every VM a separate key is created in Key Vault.
Do you have it running?
Thanks,
Niels