Skip to content

Commit b00c267

Browse files
mestewmestew
authored
Update Set-AzureRmVMDiskEncryptionExtension.md
I happened to be testing a similar script and think I ran across a few small issues with the examples. 1. $KEKName not set in examples 3&4 2. New-AzureRmADApplication seems to use -CertValue rather than -KeyValue and -KeyType https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermadapplication?view=azurermps-5.7.0 3. Looks like the KEK bit is missing from Set-AzureRmVMDiskEncryptionExtension in Example 4 for cert + KEK.
1 parent e32b143 commit b00c267

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

src/ResourceManager/Compute/Stack/Commands.Compute/help/Set-AzureRmVMDiskEncryptionExtension.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -70,8 +70,8 @@ $KeyVaultResourceId = $KeyVault.ResourceId
7070
$CertPath = "C:\certificates\examplecert.pfx"
7171
$CertPassword = "Password"
7272
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
73-
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
74-
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
73+
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
74+
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
7575
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
7676
7777
$AADClientID = $AzureAdApplication.ApplicationId
@@ -121,6 +121,7 @@ $KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
121121
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
122122
$KeyVaultResourceId = $KeyVault.ResourceId
123123
124+
$KEKName = "MyKeyEncryptionKey"
124125
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
125126
$KeyEncryptionKeyUrl = $KEK.Key.kid
126127
@@ -138,15 +139,16 @@ $VaultName= "MyKeyVault"
138139
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
139140
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
140141
$KeyVaultResourceId = $KeyVault.ResourceId
142+
$KEKName = "MyKeyEncryptionKey"
141143
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
142144
$KeyEncryptionKeyUrl = $KEK.Key.kid
143145
144146
# create Azure AD application and associate the certificate
145147
$CertPath = "C:\certificates\examplecert.pfx"
146148
$CertPassword = "Password"
147149
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
148-
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
149-
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
150+
$CertValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
151+
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -CertValue $CertValue
150152
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId
151153
152154
$AADClientID = $AzureAdApplication.ApplicationId
@@ -177,7 +179,7 @@ $VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStor
177179
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
178180
179181
#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
180-
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
182+
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId
181183
```
182184

183185
This example enables encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryption key by using key encryption key.

0 commit comments

Comments
 (0)