This repository contains samples templates for enabling the preview of the following encryption:
- Encryption at rest for temp disks
- Encryption at rest for cache of OS and data Managed Disks
- Encryption of data-in-transit of OS and data Managed Disks
The above encryption features can be enabled by setting a new property EncryptionAtHost under securityProfile of VMs/VMSSs using the API version 2020-06-01 and above.
"securityProfile": { "encryptionAtHost": "true" }
You must get the feature enabled for your subscriptions before you use the EncryptionAtHost property for your VM/VMSS. Please send an email to AzureDisks@microsoft.com with your subscription Ids to get the feature enabled for your subscriptions.
-
The feature is available only in the USCentralEUAP region.
-
You cannot enable the feature if you have enabled Azure Disks Encryption (guest-VM encryption using bitlocker/VM-Decrypt) for your VMs/VMSSes and vice versa.
-
You have to deallocate your existing VMs to enable the encryption.
-
You can enable the encryption for existing VMSS. However, only new VMs created after enabling the encryption is encrypted.
-
Legacy VM Sizes are not supported. You can find the list of supported VM sizes by:
a. Calling the Resource Skus API and checking that the EncryptionAtHostSupported capability is set to True
{ "resourceType": "virtualMachines", "name": "Standard_DS1_v2", "tier": "Standard", "size": "DS1_v2", "family": "standardDSv2Family", "locations": [ "CentralUSEUAP" ], "capabilities": [ { "name": "EncryptionAtHostSupported", "value": "True" } ] }
b. Calling the Get-AzComputeResourceSku PowerShell cmdlet
$vmSizes=Get-AzComputeResourceSku | where{$_.ResourceType -eq 'virtualMachines' -and $_.Locations.Contains('CentralUSEUAP')} foreach($vmSize in $vmSizes) { foreach($capability in $vmSize.capabilities) { if($capability.Name -eq 'EncryptionAtHostSupported' -and $capability.Value -eq 'true') { $vmSize } } }
-
VM Size upgrade will result in validation to check if the new VM size supports the EncryptionAtHost feature.
-
Follow the instructions here for creating a Key Vault for storing your keys and a DiskEncryptionSet pointing to a key in the Key Vault
-
Create a VM with managed disks by passing the resource URI of the DiskEncryptionSet created in the step #1 to the the sample template CreateVMWithDisksEncryptedInTransitAtRestWithCMK.json
$password=ConvertTo-SecureString -String "yourPassword" -AsPlainText -Force
New-AzResourceGroupDeployment -ResourceGroupName yourResourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/ramankumarlive/manageddisksendtoendencryptionpreview/master/CreateVMWithDisksEncryptedInTransitAtRestWithCMK.json" `
-virtualMachineName "yourVMName" `
-adminPassword $password `
-vmSize "Standard_DS3_V2" `
-diskEncryptionSetId "/subscriptions/dd80b94e-0463-4a65-8d04-c94f403879dc/resourceGroups/yourResourceGroupName/providers/Microsoft.Compute/diskEncryptionSets/yourDESName" `
-region "CentralUSEUAP"
- Create a VM with managed disks using the sample template CreateVMWithDisksEncryptedInTransitAtRestWithPMK.json
$password=ConvertTo-SecureString -String "Password@123" -AsPlainText -Force
New-AzResourceGroupDeployment -ResourceGroupName CMKTesting `
-TemplateUri "https://raw.githubusercontent.com/ramankumarlive/manageddisksendtoendencryptionpreview/master/CreateVMWithDisksEncryptedInTransitAtRestWithPMK.json" `
-virtualMachineName "ramane2evm12" `
-adminPassword $password `
-vmSize "Standard_DS3_V2" `
-region "CentralUSEUAP"