< Back
Set-AzureRmVMDiskEncryptionExtension
Post
NAME Set-AzureRmVMDiskEncryptionExtension
SYNOPSIS
Enables encryption on a running IaaS virtual machine in Azure.
SYNTAX
Set-AzureRmVMDiskEncryptionExtension [-ResourceGroupName] <String> [-VMName] <String> [[-SequenceVersion] <String>] [[-TypeHandlerVersion]
<String>] [[-Name] <String>] [[-Passphrase] <String>] [[-DisableAutoUpgradeMinorVersion]] [[-SkipVmBackup]] [-AadClientID] <String>
[-AadClientCertThumbprint] <String> [-DiskEncryptionKeyVaultUrl] <String> [-DiskEncryptionKeyVaultId] <String> [[-KeyEncryptionKeyUrl] <String>]
[[-KeyEncryptionKeyVaultId] <String>] [[-KeyEncryptionAlgorithm] {RSA-OAEP | RSA1_5}] [[-VolumeType] {OS | Data | All}] [-DefaultProfile
<IAzureContextContainer>] [-EncryptFormatAll] [-ExtensionPublisherName <String>] [-ExtensionType <String>] [-Force] [-Confirm] [-WhatIf]
[<CommonParameters>]
Set-AzureRmVMDiskEncryptionExtension [-ResourceGroupName] <String> [-VMName] <String> [[-SequenceVersion] <String>] [[-TypeHandlerVersion]
<String>] [[-Name] <String>] [[-Passphrase] <String>] [[-DisableAutoUpgradeMinorVersion]] [[-SkipVmBackup]] [-AadClientID] <String>
[-AadClientSecret] <String> [-DiskEncryptionKeyVaultUrl] <String> [-DiskEncryptionKeyVaultId] <String> [[-KeyEncryptionKeyUrl] <String>]
[[-KeyEncryptionKeyVaultId] <String>] [[-KeyEncryptionAlgorithm] {RSA-OAEP | RSA1_5}] [[-VolumeType] {OS | Data | All}] [-DefaultProfile
<IAzureContextContainer>] [-EncryptFormatAll] [-ExtensionPublisherName <String>] [-ExtensionType <String>] [-Force] [-Confirm] [-WhatIf]
[<CommonParameters>]
DESCRIPTION
The Set-AzureRmVMDiskEncryptionExtension cmdlet enables encryption on a running infrastructure as a service (IaaS) virtual machine in Azure. This
cmdlet enables encryption by installing the disk encryption extension on the virtual machine. If no Name parameter is specified, an extension with
the default name AzureDiskEncryption for virtual machines that run the Windows operating system or AzureDiskEncryptionForLinux for Linux virtual
machines are installed. This cmdlet requires confirmation from the users as one of the steps to enable encryption requires a restart of the
virtual machine. It is advised that you save your work on the virtual machine before you run this cmdlet.
PARAMETERS
-AadClientCertThumbprint <String>
Specifies the thumbprint of the AzureActive Directory (Azure AD) application client certificate that has permissions to write secrets to
KeyVault . As a prerequisite, the Azure AD client certificate must be previously deployed to the virtual machine's local computer `my`
certificate store. The Add-AzureRmVMSecret cmdlet can be used to deploy a certificate to a virtual machine in Azure. For more details, see the
Add-AzureRmVMSecret cmdlet help. The certificate must be previously deployed to the virtual machine local computer my certificate store.
Required? true
Position? 3
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AadClientID <String>
Specifies the client ID of the Azure AD application that has permissions to write secrets to KeyVault .
Required? true
Position? 2
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AadClientSecret <String>
Specifies the client secret of the Azure AD application that has permissions to write secrets to KeyVault .
Required? true
Position? 3
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-DisableAutoUpgradeMinorVersion [<SwitchParameter>]
Indicates that this cmdlet disables auto-upgrade of the minor version of the extension.
Required? false
Position? 14
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DiskEncryptionKeyVaultId <String>
Specifies the resource ID of the KeyVault to which the virtual machine encryption keys should be uploaded.
Required? true
Position? 5
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DiskEncryptionKeyVaultUrl <String>
Specifies the KeyVault URL to which the virtual machine encryption keys should be uploaded.
Required? true
Position? 4
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EncryptFormatAll [<SwitchParameter>]
Encrypt-Format all data drives that are not already encrypted
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-ExtensionPublisherName <String>
The extension publisher name. Specify this parameter only to override the default value of "Microsoft.Azure.Security".
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ExtensionType <String>
The extension type. Specify this parameter to override its default value of "AzureDiskEncryption" for Windows VMs and
"AzureDiskEncryptionForLinux" for Linux VMs.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Force [<SwitchParameter>]
Forces the command to run without asking for user confirmation.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-KeyEncryptionAlgorithm <String>
Specifies the algorithm that is used to wrap and unwrap the key encryption key of the virtual machine. The default value is RSA-OAEP.
Required? false
Position? 8
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-KeyEncryptionKeyUrl <String>
Specifies the URL of the key encryption key that is used to wrap and unwrap the virtual machine encryption key. This must be the full
versioned URL.
Required? false
Position? 6
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-KeyEncryptionKeyVaultId <String>
Specifies the resource ID of the KeyVault that contains key encryption key that is used to wrap and unwrap the virtual machine encryption key.
This must be a full versioned URL.
Required? false
Position? 7
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Name <String>
Specifies the name of the Azure Resource Manager resource that represents the extension. The default value is AzureDiskEncryption for virtual
machines that run the Windows operating system or AzureDiskEncryptionForLinux for Linux virtual machines.
Required? false
Position? 12
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Passphrase <String>
Specifies the passphrase used for encrypting Linux virtual machines only. This parameter is not used for virtual machines that run the Windows
operating system.
Required? false
Position? 13
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceGroupName <String>
Specifies the name of the resource group of the virtual machine.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SequenceVersion <String>
Specifies the sequence number of the encryption operations for a virtual machine. This is unique per each encryption operation performed on
the same virtual machine. The Get-AzureRmVMExtension cmdlet can be used to retrieve the previous sequence number that was used.
Required? false
Position? 10
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SkipVmBackup [<SwitchParameter>]
Skip backup creation for Linux VMs
Required? false
Position? 15
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-TypeHandlerVersion <String>
Specifies the version of the encryption extension.
Required? false
Position? 11
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-VMName <String>
Specifies the name of the virtual machine.
Required? true
Position? 1
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-VolumeType <String>
Specifies the type of virtual machine volumes to perform the encryption operation. Allowed values for virtual machines that run the Windows
operating system are as follows: All, OS, and Data. The allowed values for Linux virtual machines are as follows: Data only.
Required? false
Position? 9
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
This cmdlet does not accept any input.
OUTPUTS
Microsoft.Azure.Commands.Compute.Models.PSAzureOperationResponse
NOTES
Example 1: Enable encryption using Azure AD Client ID and Client Secret
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret
-DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID, and client secret.
Example 2: Enable encryption using Azure AD client ID and client certification thumbprint
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
# create Azure AD application and associate the certificate
$CertPath = "C:\\certificates\\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>"
-IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
$AADClientID = $AzureAdApplication.ApplicationId
$aadClientCertThumbprint= $cert.Thumbprint
#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = get-content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$JSONObject = @"
{
"data" : "$filecontentencoded",
"dataType" : "pfx",
"password" : "$CertPassword"
}
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment
#deploy cert to VM
$CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint
$AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID and client certification thumbprints.
Example 3: Enable encryption using Azure AD client ID, client secret, and wrap disk encryption key by using key encryption key
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret
-DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl
-KeyEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID, client secret, and wrap disk encryption key by using the key encryption key.
Example 4: Enable encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryptionkey by using key encryption key
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
# create Azure AD application and associate the certificate
$CertPath = "C:\\certificates\\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>"
-IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
$AADClientID = $AzureAdApplication.ApplicationId
$AADClientCertThumbprint= $Cert.Thumbprint
#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = get-content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes)
$JSONObject = @"
{
"data" : "$filecontentencoded",
"dataType" : "pfx",
"password" : "$CertPassword"
}
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONObject)
$JsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment
#deploy cert to VM
$CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint
$AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryption key by using key encryption key.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... nextension
Add-AzureRmVMSecret
Get-AzureRmVMDiskEncryptionStatus
Remove-AzureRmVMDiskEncryptionExtension
SYNOPSIS
Enables encryption on a running IaaS virtual machine in Azure.
SYNTAX
Set-AzureRmVMDiskEncryptionExtension [-ResourceGroupName] <String> [-VMName] <String> [[-SequenceVersion] <String>] [[-TypeHandlerVersion]
<String>] [[-Name] <String>] [[-Passphrase] <String>] [[-DisableAutoUpgradeMinorVersion]] [[-SkipVmBackup]] [-AadClientID] <String>
[-AadClientCertThumbprint] <String> [-DiskEncryptionKeyVaultUrl] <String> [-DiskEncryptionKeyVaultId] <String> [[-KeyEncryptionKeyUrl] <String>]
[[-KeyEncryptionKeyVaultId] <String>] [[-KeyEncryptionAlgorithm] {RSA-OAEP | RSA1_5}] [[-VolumeType] {OS | Data | All}] [-DefaultProfile
<IAzureContextContainer>] [-EncryptFormatAll] [-ExtensionPublisherName <String>] [-ExtensionType <String>] [-Force] [-Confirm] [-WhatIf]
[<CommonParameters>]
Set-AzureRmVMDiskEncryptionExtension [-ResourceGroupName] <String> [-VMName] <String> [[-SequenceVersion] <String>] [[-TypeHandlerVersion]
<String>] [[-Name] <String>] [[-Passphrase] <String>] [[-DisableAutoUpgradeMinorVersion]] [[-SkipVmBackup]] [-AadClientID] <String>
[-AadClientSecret] <String> [-DiskEncryptionKeyVaultUrl] <String> [-DiskEncryptionKeyVaultId] <String> [[-KeyEncryptionKeyUrl] <String>]
[[-KeyEncryptionKeyVaultId] <String>] [[-KeyEncryptionAlgorithm] {RSA-OAEP | RSA1_5}] [[-VolumeType] {OS | Data | All}] [-DefaultProfile
<IAzureContextContainer>] [-EncryptFormatAll] [-ExtensionPublisherName <String>] [-ExtensionType <String>] [-Force] [-Confirm] [-WhatIf]
[<CommonParameters>]
DESCRIPTION
The Set-AzureRmVMDiskEncryptionExtension cmdlet enables encryption on a running infrastructure as a service (IaaS) virtual machine in Azure. This
cmdlet enables encryption by installing the disk encryption extension on the virtual machine. If no Name parameter is specified, an extension with
the default name AzureDiskEncryption for virtual machines that run the Windows operating system or AzureDiskEncryptionForLinux for Linux virtual
machines are installed. This cmdlet requires confirmation from the users as one of the steps to enable encryption requires a restart of the
virtual machine. It is advised that you save your work on the virtual machine before you run this cmdlet.
PARAMETERS
-AadClientCertThumbprint <String>
Specifies the thumbprint of the AzureActive Directory (Azure AD) application client certificate that has permissions to write secrets to
KeyVault . As a prerequisite, the Azure AD client certificate must be previously deployed to the virtual machine's local computer `my`
certificate store. The Add-AzureRmVMSecret cmdlet can be used to deploy a certificate to a virtual machine in Azure. For more details, see the
Add-AzureRmVMSecret cmdlet help. The certificate must be previously deployed to the virtual machine local computer my certificate store.
Required? true
Position? 3
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AadClientID <String>
Specifies the client ID of the Azure AD application that has permissions to write secrets to KeyVault .
Required? true
Position? 2
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-AadClientSecret <String>
Specifies the client secret of the Azure AD application that has permissions to write secrets to KeyVault .
Required? true
Position? 3
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DefaultProfile <IAzureContextContainer>
The credentials, account, tenant, and subscription used for communication with azure.
Required? false
Position? named
Default value None
Accept pipeline input? False
Accept wildcard characters? false
-DisableAutoUpgradeMinorVersion [<SwitchParameter>]
Indicates that this cmdlet disables auto-upgrade of the minor version of the extension.
Required? false
Position? 14
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DiskEncryptionKeyVaultId <String>
Specifies the resource ID of the KeyVault to which the virtual machine encryption keys should be uploaded.
Required? true
Position? 5
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-DiskEncryptionKeyVaultUrl <String>
Specifies the KeyVault URL to which the virtual machine encryption keys should be uploaded.
Required? true
Position? 4
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-EncryptFormatAll [<SwitchParameter>]
Encrypt-Format all data drives that are not already encrypted
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-ExtensionPublisherName <String>
The extension publisher name. Specify this parameter only to override the default value of "Microsoft.Azure.Security".
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ExtensionType <String>
The extension type. Specify this parameter to override its default value of "AzureDiskEncryption" for Windows VMs and
"AzureDiskEncryptionForLinux" for Linux VMs.
Required? false
Position? named
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Force [<SwitchParameter>]
Forces the command to run without asking for user confirmation.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-KeyEncryptionAlgorithm <String>
Specifies the algorithm that is used to wrap and unwrap the key encryption key of the virtual machine. The default value is RSA-OAEP.
Required? false
Position? 8
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-KeyEncryptionKeyUrl <String>
Specifies the URL of the key encryption key that is used to wrap and unwrap the virtual machine encryption key. This must be the full
versioned URL.
Required? false
Position? 6
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-KeyEncryptionKeyVaultId <String>
Specifies the resource ID of the KeyVault that contains key encryption key that is used to wrap and unwrap the virtual machine encryption key.
This must be a full versioned URL.
Required? false
Position? 7
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Name <String>
Specifies the name of the Azure Resource Manager resource that represents the extension. The default value is AzureDiskEncryption for virtual
machines that run the Windows operating system or AzureDiskEncryptionForLinux for Linux virtual machines.
Required? false
Position? 12
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Passphrase <String>
Specifies the passphrase used for encrypting Linux virtual machines only. This parameter is not used for virtual machines that run the Windows
operating system.
Required? false
Position? 13
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-ResourceGroupName <String>
Specifies the name of the resource group of the virtual machine.
Required? true
Position? 0
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SequenceVersion <String>
Specifies the sequence number of the encryption operations for a virtual machine. This is unique per each encryption operation performed on
the same virtual machine. The Get-AzureRmVMExtension cmdlet can be used to retrieve the previous sequence number that was used.
Required? false
Position? 10
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-SkipVmBackup [<SwitchParameter>]
Skip backup creation for Linux VMs
Required? false
Position? 15
Default value False
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-TypeHandlerVersion <String>
Specifies the version of the encryption extension.
Required? false
Position? 11
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-VMName <String>
Specifies the name of the virtual machine.
Required? true
Position? 1
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-VolumeType <String>
Specifies the type of virtual machine volumes to perform the encryption operation. Allowed values for virtual machines that run the Windows
operating system are as follows: All, OS, and Data. The allowed values for Linux virtual machines are as follows: Data only.
Required? false
Position? 9
Default value None
Accept pipeline input? True (ByPropertyName)
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompts you for confirmation before running the cmdlet.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Required? false
Position? named
Default value False
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
This cmdlet does not accept any input.
OUTPUTS
Microsoft.Azure.Commands.Compute.Models.PSAzureOperationResponse
NOTES
Example 1: Enable encryption using Azure AD Client ID and Client Secret
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret
-DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID, and client secret.
Example 2: Enable encryption using Azure AD client ID and client certification thumbprint
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
# create Azure AD application and associate the certificate
$CertPath = "C:\\certificates\\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>"
-IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
$AADClientID = $AzureAdApplication.ApplicationId
$aadClientCertThumbprint= $cert.Thumbprint
#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = get-content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$JSONObject = @"
{
"data" : "$filecontentencoded",
"dataType" : "pfx",
"password" : "$CertPassword"
}
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment
#deploy cert to VM
$CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint
$AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID and client certification thumbprints.
Example 3: Enable encryption using Azure AD client ID, client secret, and wrap disk encryption key by using key encryption key
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret
-DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl
-KeyEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID, client secret, and wrap disk encryption key by using the key encryption key.
Example 4: Enable encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryptionkey by using key encryption key
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid
# create Azure AD application and associate the certificate
$CertPath = "C:\\certificates\\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>"
-IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
$AADClientID = $AzureAdApplication.ApplicationId
$AADClientCertThumbprint= $Cert.Thumbprint
#Upload pfx to KeyVault
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = get-content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes)
$JSONObject = @"
{
"data" : "$filecontentencoded",
"dataType" : "pfx",
"password" : "$CertPassword"
}
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONObject)
$JsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment
#deploy cert to VM
$CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint
$AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
This example enables encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryption key by using key encryption key.
RELATED LINKS
Online Version: https://docs.microsoft.com/en-us/powers ... nextension
Add-AzureRmVMSecret
Get-AzureRmVMDiskEncryptionStatus
Remove-AzureRmVMDiskEncryptionExtension