01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the generated disk encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support:
az keyvault create
--name cc-disk-encryption-vault
--resource-group cloud-shell-storage-westeurope
--location westeurope
--enable-soft-delete true
--enable-purge-protection true
--enabled-for-disk-encryption true
02 The command output should return the configuration metadata for the newly created Azure Key Vault:
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-disk-encryption-vault",
"location": "westeurope",
"name": "cc-disk-encryption-vault",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
"vaultUri": "https://cc-disk-encryption-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
03 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to reconfigure as identifier parameter (see Audit section part II to identify the right VM) to enable encryption at rest for the boot disk volume attached to the selected Azure virtual machine (VM):
az vm encryption enable
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"
--disk-encryption-keyvault cc-disk-encryption-vault
--volume-type OS
04 The command output should return a confirmation message, such as:
The encryption request was accepted. Please use 'show' command to monitor the progress.
05 Run again vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured virtual machine (VM) as identifier parameter to confirm the encryption process completion, by listing the encryption configuration available for the boot disk volume encrypted at the previous steps:
az vm encryption show
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"
06 The command output should return the disk volume encryption configuration information:
{
"disks": [
{
"encryptionSettings": [
{
"diskEncryptionKey": {
"sourceVault": {
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.KeyVault/vaults/cc-disk-encryption-vault"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"name": "cc-project5-main-server_disk1_abcdabcd1234abcd1234abcd1234abcd",
"statuses": [
{
"code": "EncryptionState/encrypted",
"displayStatus": "Encryption is enabled on disk",
"level": "Info",
"message": null,
"time": null
}
]
}
],
"status": [
{
"code": "ProvisioningState/succeeded",
"displayStatus": "Provisioning succeeded",
"level": "Info",
"message": "OS disk encryption started",
"time": null
}
],
"substatus": [
{
"code": "ComponentStatus/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/succeeded",
"displayStatus": "Provisioning succeeded",
"level": "Info",
"message": "{\"os\": \"EncryptionInProgress\", \"data\": \"NotMounted\"}",
"time": null
}
]
}
07 Repeat steps no. 3 – 6 for every Azure virtual machine (VM) available in the current subscription.
08 Repeat steps no. 1 – 7 for each subscription created within your Microsoft Azure cloud account.