Azure Disk Encryption ARM template for Windows VM

I had an article about a healthy Windows virtual machine in Azure and got a feedback that the virtual machine should have disk encryption in place. That feedback is very valuable and it drove me to do more research and added disk encryption support into the template.

In this article, let’s look into disk encryption extension construct a little bit and a few notes around bundling it into an ARM template.

For those who don’t know about Azure Disk Encryption, this article is a very good start https://azsec.azurewebsites.net/2017/08/11/protecting-your-azure-virtual-machine-with-disk-encryption/

If you work with Azure Security Center you will one-hundred-percent see OS disk encryption flagged in virtual machine recommendation.

You can get rid of the flag by enabling disk encryption either turning off policy in Azure Policy. This article is not going to recommend you to turn it off.

ARM Template Structure

Azure Disk Encryption can be enabled via Azure PowerShell or Azure CLI. That is normally seen in remediation. In a real-world scenario you would like to see a virtual machine during its creation include disk encryption process. This is technically possible thanks to Disk Encryption VM extension. Below is the sample extension schema for disk encryption for Windows VM:

Previously if you have worked with disk encryption extension you need to supply AAD Application (aka service principal object). In the newer version (2.2) you only need to specify key vault and key used for encryption.

Disk encryption support has been updated in healthy Windows virtual machine here.

Limitation

As of this writing creating key is not supported in Azure ARM template so you cann’t bundle key vault creation in it. You must create a key prior to supplying it to disk encryption extension.

There would be a bug in Azure Portal reflecting to the state of the disk encryption. If you go to the virtual machine you can see both disks are encrypted. However, if you check status using Azure PowerShell or go to Disk it doesn’t show up.

Both OS and data disk are encrypted using BitLocker

Troubleshooting

Troubleshooting disk encryption extension deployment may be time consuming and may lead to hopeless. First, you need to know where to look at extension log ( C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.AzureDiskEncryption\{version} ). BitlockerExtension.log gives you details in sequential process the extension runs before completing or throwing exception.

Let’s see an example from BitlockerExtension.log 

This kind of log looks ambiguous and may give a frustration until you know exactly what the function SendEncryptionSettingsToHost()  does. Doing  a bit of decompiling the extension utility, here is what it does:

So the extension utility sends a POST request including diskEncryptionData object to an Azure Instance Metadata Service at address 169.254.169.254. There are three times of retry set in the function. So normally if you encounter HTTP request failure chances are your request body (diskEncryptionData) is in a wrong format.

You can trace back to see what is constructed to be diskEncryptionData object. In fact, it is the value in publicSetting property from setting file located in C:\Packages\Plugins\Microsoft.Azure.Security.AzureDiskEncryption\2.2.0.19\RuntimeSettings

When the deployment of disk encryption extension starts, information is collected and is written to .setting file. You can go to check if reference of key vault ID or other variable’s values are correct.

This entry was posted in Secure Development and tagged , . Bookmark the permalink.

1 Response to Azure Disk Encryption ARM template for Windows VM

  1. Pingback: Deploy a healthy development Windows virtual machine - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

Leave a Reply