01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the generated disk encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support:
az keyvault create
--name cc-encryption-vault
--resource-group cloud-shell-storage-westeurope
--location westeurope
--enable-soft-delete true
--enable-purge-protection true
--enabled-for-disk-encryption true
02 The command output should return the configuration metadata for the newly created Azure Key Vault:
{
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault",
"location": "westeurope",
"name": "cc-encryption-vault",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover"
],
"keys": [
"get",
"create",
"delete",
"list",
"update",
"import",
"backup",
"restore",
"recover"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover"
],
"storage": [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"setsas",
"listsas",
"getsas",
"deletesas"
]
},
"tenantId": "abcdabcd-1234-1234-1234-abcd1234abcd"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableSoftDelete": true,
"enabledForDeployment": false,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": {
"name": "standard"
},
"tenantId": "abcdabcd-1234-1234-1234-abcd1234abcd",
"vaultUri": "https://cc-encryption-vault.vault.azure.net/"
},
"resourceGroup": "cloud-shell-storage-westeurope",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
03 Run disk update command (Windows/macOS/Linux) using the ID of the detached Azure VM disk volume that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) and the ID of Azure Key Vault created at the previous steps as configuration parameter, to enable encryption at rest for the selected unattached disk volume:
az disk update
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0"
--set encryptionSettingsCollection.diskEncryptionKey="/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault" EncryptionSettingsCollection.enabled=true
04 The command output should return the configuration metadata for the reconfigured Azure VM disk volume:
{
{
"creationData": {
"createOption": "Empty",
"imageReference": null,
"sourceResourceId": null,
"sourceUri": null,
"storageAccountId": null
},
"diskIopsReadWrite": 120,
"diskMbpsReadWrite": 25,
"diskSizeGb": 32,
"diskState": "Unattached",
"encryptionSettingsCollection": [
{
"diskEncryptionKey": {
"sourceVault": {
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-encryption-vault"
}
},
"enabled": true,
"keyEncryptionKey": null
}
],
"hyperVgeneration": null,
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-warehouse-app_DataDisk_0",
"location": "westeurope",
"managedBy": null,
"name": "cc-warehouse-app_DataDisk_0",
"osType": null,
"provisioningState": "Succeeded",
"resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE",
"sku": {
"name": "StandardSSD_LRS",
"tier": "Standard"
},
"tags": {},
"timeCreated": "2019-09-10T11:31:24.276707+00:00",
"type": "Microsoft.Compute/disks",
"zones": [
"1"
]
}
05 Repeat step no. 3 and 4 for each unencrypted Azure disk volume detached from a virtual machine, available in the current subscription.
06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.