Use the Azure PowerShell module to enable double encryption at rest for managed disks
Applies to: ✔️ Windows VMs
Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, and other managed disk encryption types, see the Double encryption at rest section of our disk encryption article.
Restrictions
Double encryption at rest isn't currently supported with either Ultra Disks or Premium SSD v2 disks.
Prerequisites
Install the latest Azure PowerShell version, and sign in to an Azure account using Connect-AzAccount.
Getting started
Create an instance of Azure Key Vault and encryption key.
When creating the Key Vault instance, you must enable soft delete and purge protection. Soft delete ensures that the Key Vault holds a deleted key for a given retention period (90 day default). Purge protection ensures that a deleted key can't be permanently deleted until the retention period lapses. These settings protect you from losing data due to accidental deletion. These settings are mandatory when using a Key Vault for encrypting managed disks.
$ResourceGroupName="yourResourceGroupName" $LocationName="westus2" $keyVaultName="yourKeyVaultName" $keyName="yourKeyName" $keyDestination="Software" $diskEncryptionSetName="yourDiskEncryptionSetName" $keyVault = New-AzKeyVault -Name $keyVaultName -ResourceGroupName $ResourceGroupName -Location $LocationName -EnableSoftDelete -EnablePurgeProtection $key = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $keyName -Destination $keyDestinationRetrieve the URL for the key you created, you'll need it for subsequent commands. The ID output from
Get-AzKeyVaultKeyis the key URL.Get-AzKeyVaultKey -VaultName $keyVaultName -KeyName $keyNameGet the resource ID for the Key Vault instance you created, you'll need it for subsequent commands.
Get-AzKeyVault -VaultName $keyVaultNameCreate a DiskEncryptionSet with encryptionType set as EncryptionAtRestWithPlatformAndCustomerKeys. Replace
yourKeyURLandyourKeyVaultURLwith the URLs you retrieved earlier.$config = New-AzDiskEncryptionSetConfig -Location $locationName -KeyUrl "yourKeyURL" -SourceVaultId 'yourKeyVaultURL' -IdentityType 'SystemAssigned' $config | New-AzDiskEncryptionSet -ResourceGroupName $ResourceGroupName -Name $diskEncryptionSetName -EncryptionType EncryptionAtRestWithPlatformAndCustomerKeysGrant the DiskEncryptionSet resource access to the key vault.
Note
It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Microsoft Entra ID. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again.
$des=Get-AzDiskEncryptionSet -name $diskEncryptionSetName -ResourceGroupName $ResourceGroupName Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $des.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
Next steps
Now that you've created and configured these resources, you can use them to secure your managed disks. The following links contain example scripts, each with a respective scenario, that you can use to secure your managed disks.
Tilbakemeldinger
Kommer snart: Gjennom 2024 faser vi ut GitHub Issues som tilbakemeldingsmekanisme for innhold, og erstatter det med et nytt system for tilbakemeldinger. Hvis du vil ha mer informasjon, kan du se: https://aka.ms/ContentUserFeedback.
Send inn og vis tilbakemelding for