This template creates a fully-encrypted RHEL 7.2 VM in Azure. The VM consists of:
- 30 GB encrypted OS drive.
- A 200 GB RAID-0 array mounted at
/mnt/raidencrypted
.
Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. You will need client ID and client secret of an AAD application to enable key vault authentication.
The AzureDiskEncryptionPreRequisiteSetup.ps1 script can be used to create the Key Vault and assign appropriate access policies.
It will take roughly one hour to encrypt the OS drive. You can monitor the encryption progress by calling Get-AzureRmVmDiskEncryptionStatus
PowerShell cmdlet as shown below.
C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName
-ExtensionName $ExtensionName
OsVolumeEncrypted : EncryptionInProgress
DataVolumesEncrypted : EncryptionInProgress
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : OS disk encryption started
Once the cmdlet shows the message VMRestartPending
, like the one show below, reboot the VM.
C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName
-ExtensionName $ExtensionName
OsVolumeEncrypted : VMRestartPending
DataVolumesEncrypted : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : OS disk successfully encrypted, please reboot the VM
After you reboot the VM, this will be the final layout:
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
fd0 2:0 1 4K 0 disk
sda 8:0 0 30G 0 disk
├─sda1 8:1 0 500M 0 part
└─sda2 8:2 0 29.5G 0 part
└─osencrypt 253:0 0 29.5G 0 crypt /
sdb 8:16 0 14G 0 disk
└─sdb1 8:17 0 14G 0 part /mnt/resource
sdc 8:32 0 48M 0 disk
└─sdc1 8:33 0 47M 0 part
sdd 8:48 0 100G 0 disk
└─md0 9:0 0 199.9G 0 raid0
└─a717a295-61e2-4de9-9b27-689f3f6d5831 253:1 0 199.9G 0 crypt /mnt/encryptedraid
sde 8:64 0 100G 0 disk
└─md0 9:0 0 199.9G 0 raid0
└─a717a295-61e2-4de9-9b27-689f3f6d5831 253:1 0 199.9G 0 crypt /mnt/encryptedraid
/
will be mounted mounted from a AES-256 bit encrypted drive:
# cryptsetup status osencrypt
/dev/mapper/osencrypt is active and is in use.
type: n/a
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/sda2
offset: 0 sectors
size: 61888512 sectors
mode: read/write
While /mnt/encryptedraid
will point to the 200 GB RAID array:
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/osencrypt 30G 1.8G 28G 6% /
devtmpfs 3.4G 0 3.4G 0% /dev
tmpfs 3.5G 0 3.5G 0% /dev/shm
tmpfs 3.5G 8.3M 3.4G 1% /run
tmpfs 3.5G 0 3.5G 0% /sys/fs/cgroup
/dev/sdb1 14G 2.1G 11G 16% /mnt/resource
tmpfs 697M 0 697M 0% /run/user/1000
/dev/dm-1 197G 61M 187G 1% /mnt/encryptedraid
If you run the Get-AzureRmVmDiskEncryptionStatus
cmdlet again, you will see updated encryption status:
C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName
-ExtensionName $ExtensionName
OsVolumeEncrypted : Encrypted
DataVolumesEncrypted : Encrypted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : [KeyVault URL of LUKS passphrase secret]