Enable disk encryption for Azure Service Fabric cluster nodes in Windows
Article
In this tutorial, you'll learn how to enable disk encryption on Service Fabric cluster nodes in Windows. You'll need to follow these steps for each of the node types and virtual machine scale sets. For encrypting the nodes, we'll use the Azure Disk Encryption capability on virtual machine scale sets.
The guide covers the following topics:
Key concepts to be aware of when enabling disk encryption on Service Fabric cluster virtual machine scale sets in Windows.
Steps to be followed before enabling disk encryption on Service Fabric cluster nodes in Windows.
Steps to be followed to enable disk encryption on Service Fabric cluster nodes in Windows.
Create a key vault in the same subscription and region as the scale set, then select the EnabledForDiskEncryption access policy on the key vault by using its PowerShell cmdlet. You can also set the policy by using the Key Vault UI in the Azure portal with the following command:
Install the latest version of the Azure CLI, which has the new encryption commands.
Install the latest version of the Azure SDK from Azure PowerShell release. Following are the virtual machine scale set Azure Disk Encryption cmdlets to enable (set) encryption, retrieve (get) encryption status, and remove (disable) encryption on the scale set instance.
Command
Version
Source
Get-AzVmssDiskEncryptionStatus
1.0.0 or later
Az.Compute
Get-AzVmssVMDiskEncryptionStatus
1.0.0 or later
Az.Compute
Disable-AzVmssDiskEncryption
1.0.0 or later
Az.Compute
Get-AzVmssDiskEncryption
1.0.0 or later
Az.Compute
Get-AzVmssVMDiskEncryption
1.0.0 or later
Az.Compute
Set-AzVmssDiskEncryptionExtension
1.0.0 or later
Az.Compute
Supported scenarios for disk encryption
Encryption for virtual machine scale sets is supported only for scale sets created with managed disks. It's not supported for native (or unmanaged) disk scale sets.
Encryption is supported for OS and data volumes in virtual machine scale sets in Windows. Disable encryption is also supported for OS and data volumes for virtual machine scale sets in Windows.
Virtual machine reimage and upgrade operations for virtual machine scale sets aren't supported in the current preview.
Create a new cluster and enable disk encryption
Use the following commands to create a cluster and enable disk encryption by using an Azure Resource Manager template and a self-signed certificate.
If you already have a custom template, double-check that all three certificate-related parameters in the template and the parameter file are named as follows and that values are null as follows:
az vmss encryption show -g<resourceGroupName>-n<VMSS name>
Additionally, you can sign in to the virtual machine scale set and make sure the drives are encrypted.
Disable disk encryption for a virtual machine scale set in a Service Fabric cluster
Disable disk encryption for a virtual machine scale set by running the following commands. Note that disabling disk encryption applies to the entire virtual machine scale set and not an individual instance.
az vmss encryption disable -g<resourceGroupName>-n<VMSS name>
Next steps
At this point, you should have a secure cluster and know how to enable and disable disk encryption for Service Fabric cluster nodes and virtual machine scale sets. For similar guidance on Service Fabric cluster nodes in Linux, see Disk Encryption for Linux.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.