未加星标

Setting up Azure Disk Encryption for a Virtual Machine with PowerShell

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

As I discussed in my previous blog post , I opted to use Azure Disk Encryption for my virtual machines in Azure, rather than Storage Service Encryption. Azure Disk Encryption utilizes Bitlocker inside of the VM. Enabling Azure Disk Encryption involves these Azure services:

Azure Active Directory for a service principal Azure Key Vault for a KEK (key encryption key) which wraps around the BEK (bitlocker encryption key) Azure Virtual Machine (IaaS)

Following are 4 scripts which configures encryption for an existing VM. I initially had it all as one single script, but I purposely separated them. Now that they are modular, if you already have a Service Principal and/or a Key Vault, you can skip those steps. I have my 'real' version of these scripts stored in an ARM Visual Studio project (same logic, just with actual names for the Azure services). These PowerShell templates go along with other ARM templates to serve as source control for our Azure infrastructure.

As any expert will immediately know by looking at my scripts below, I'm pretty much a PowerShell novice. So, be kind dear reader. My purpose is to document the steps, the flow,add some commentary, and to pull together a couple pieces I found on different documentation pages.

Step 1: Set up Service Principal in AAD

<# .SYNOPSIS Creates Service Principal in Azure Active Directory .DESCRIPTION This script creates a service principal in Azure Active Directory. A service principal is required to enable disk encryption for VM. .NOTES File Name: CreateAADSvcPrinForDiskEncryption.ps1 Author : Melissa Coates Notes: Be sure the variables in the input area are completed, following all standard naming conventions. The $aadSvcPrinAppPassword needs to be removed before saving this script in source control. .LINK Supporting information: https://blogs.msdn.microsoft.com/azuresecurity/2015/11/16/explore-azure-disk-encryption-with-azure-powershell/ https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption #> #----------------------------------------- #Input Area $subscriptionName = 'MyAzureSubscriptionDev' $aadSvcPrinAppDisplayName = 'VMEncryptionSvcPrinDev' $aadSvcPrinAppHomePage = 'http://FakeURLBecauseItsNotReallyNeededForThisPurpose' $aadSvcPrinAppIdentifierUri = 'https://DomainName.com/VMEncryptionSvcPrinDev' $aadSvcPrinAppPassword = 'SuperStrongPassword' #----------------------------------------- #Manual login into Azure Login-AzureRmAccount -SubscriptionName $subscriptionName #----------------------------------------- #Create Service Principal App to Use For Encryption of VMs $aadSvcPrinApplication = New-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName -HomePage $aadSvcPrinAppHomePage -IdentifierUris $aadSvcPrinAppIdentifierUri -Password $aadSvcPrinAppPassword New-AzureRmADServicePrincipal -ApplicationId $aadSvcPrinApplication.ApplicationId

Step 2: Create Azure Key Vault

<# .SYNOPSIS Creates Azure Key Vault. .DESCRIPTION This script does the following: 1 - Creates a key vault in Azure. 2 - Allows the Azure Backup Service permission to the key vault. This is required if Recovery Vault will be used for backups. A key vault is required to enable disk encryption for VM. .NOTES File Name: ProvisionAzureKeyVault.ps1 Author : Melissa Coates Notes: Be sure the variables in the input area are completed, following all standard naming conventions. The key vault must reside in the same region as the VM which will be encrypted. A Premium key vault is being provisioned so that an HSM key can be created for the KEK. The 262044b1-e2ce-469f-a196-69ab7ada62d3 ID refers to the Azure Key Vault (which is why it is not a variable). .LINK Supporting information: https://blogs.msdn.microsoft.com/azuresecurity/2015/11/16/explore-azure-disk-encryption-with-azure-powershell/ https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption #> #----------------------------------------- #Input Area $subscriptionName = 'MyAzureSubscriptionDev' $resourceGroupName = 'MyDevRG' $keyVaultName = 'KeyVault-Dev' $keyVaultLocation = 'East US 2' #----------------------------------------- #Manual login into Azure #Login-AzureRmAccount -SubscriptionName $subscriptionName #----------------------------------------- #Create Azure Key Vault New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Location $keyVaultLocation -Sku 'Premium' #----------------------------------------- #Permit the Azure Backup service to access the key vault Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -PermissionsToKeys backup,get,list -PermissionsToSecrets get,list -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3

Step 3: Connect Service Principal with Key Vault

<# .SYNOPSIS Enables the service principal for VM disk encryption to communicate with Key Vault. .DESCRIPTION This script does the following: A - Allows service principal the selective permissions to the key vault so that disk encryption functionality works. B - Creates a KEK (Key Encryption Key). For Disk Encryption, a KEK is required in addition to the BEK (BitLocker Encryption Key). Prerequisite 1: Service Principal name (see CreateAADSvcPrinForVMEncryption.ps1) Prerequisite 2: Azure Key Vault (see ProvisionAzureKeyVault.ps1) .NOTES File Name: EnableSvcPrinWithKeyVaultForDiskEncryption.ps1 Author : Melissa Coates Notes: Be sure the variables in the input area are completed, following all standard naming conventions. The key vault must reside in the same region as the VM being encrypted. The key type can be either HSM or Software (HSM offers additional security but does require a Premium key vault). .LINK Supporting information: https://blogs.msdn.microsoft.com/azuresecurity/2015/11/16/explore-azure-disk-encryption-with-azure-powershell/ https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption #> #Input Area $subscriptionName = 'MyAzureSubscriptionDev' $resourceGroupName = 'MyDevRG' $aadSvcPrinAppDisplayName = 'VMEncryptionSvcPrinDev' $keyVaultName = 'KeyVault-Dev' $keyName = 'VMEncryption-KEK' $keyType = 'HSM' #----------------------------------------- #Manual login into Azure #Login-AzureRmAccount -SubscriptionName $subscriptionName #----------------------------------------- #Allow the Service Principal Permissions to the Key Vault $aadSvcPrinApplication = Get-AzureRmADApplication -DisplayName $aadSvcPrinAppDisplayName Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadSvcPrinApplication.ApplicationId -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $resourceGroupName #----------------------------------------- #Create KEK in the Key Vault Add-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyName -Destination $keyType #----------------------------------------- #Allow Azure platform access to the KEK Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForDiskEncryption

S

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

分页:12
转载请注明
本文标题:Setting up Azure Disk Encryption for a Virtual Machine with PowerShell
本站链接:http://www.codesec.net/view/533647.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(31)