Skip to content

Update Set-AzureRmVMDiskEncryptionExtension.md #3596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 11, 2017
Merged

Update Set-AzureRmVMDiskEncryptionExtension.md #3596

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
178 changes: 95 additions & 83 deletions ...ceManager/Compute/Commands.Compute/help/Set-AzureRmVMDiskEncryptionExtension.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,129 +41,141 @@ It is advised that you save your work on the virtual machine before you run this

### Example 1: Enable encryption using Azure AD Client ID and Client Secret
```
PS C:\>$RGName = "MyResourceGroup";
PS C:\> $VMName = "MyTestVM";
PS C:\> $AADClientID = "<clientID of your Azure AD app>";
PS C:\> $AADClientSecret = "<clientSecret of your Azure AD app>";
PS C:\> $VaultName= "MyKeyVault";
PS C:\> $KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName;
PS C:\> $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
PS C:\> $KeyVaultResourceId = $KeyVault.ResourceId;
PS C:\> Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId ;
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
```

This example enables encryption using Azure AD client ID, and client secret.

### Example 2: Enable encryption using Azure AD client ID and client certification thumbprint
```
PS C:\>$RGName = "MyResourceGroup";
PS C:\> $VMName = "MyTestVM";
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
PS C:\> $VaultName= "MyKeyVault";
PS C:\> $KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName;
PS C:\> $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
PS C:\> $KeyVaultResourceId = $KeyVault.ResourceId;
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId

# create Azure AD application and associate the certificate
PS C:\> $CertPath = "C:\certificates\examplecert.pfx";
PS C:\> $CertPassword = "Password";
PS C:\> $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword);
PS C:\> $KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData());
PS C:\> $AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert ;
PS C:\> $ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId;
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

PS C:\> $AADClientID = $AzureAdApplication.ApplicationId;
PS C:\> $aadClientCertThumbprint= $cert.Thumbprint;
$AADClientID = $AzureAdApplication.ApplicationId
$aadClientCertThumbprint= $cert.Thumbprint

#Upload pfx to KeyVault
PS C:\> $KeyVaultSecretName = "MyAADCert';
PS C:\> $FileContentBytes = get-content $CertPath -Encoding Byte;
PS C:\> $FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes);
PS C:\> $JSONObject = @" { "data": "$filecontentencoded", "dataType" :"pfx", "password": "$CertPassword" } "@ ;
PS C:\> $JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject);
PS C:\> $JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes);

PS C:\> $Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force;
PS C:\> Set-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret;
PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment;
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = get-content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)
$JSONObject = @"
{
"data" : "$filecontentencoded",
"dataType" : "pfx",
"password" : "$CertPassword"
}
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($jsonObject)
$JSONEncoded = [System.Convert]::ToBase64String($jsonObjectBytes)

$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName -SecretValue $Secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment

#deploy cert to VM
PS C:\> $CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
PS C:\> $VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
PS C:\> $VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
PS C:\> Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
$VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName

#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
PS C:\> Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId ;
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
```

This example enables encryption using Azure AD client ID and client certification thumbprints.

### Example 3: Enable encryption using Azure AD client ID, client secret, and wrap disk encryption key by using key encryption key
```
PS C:\>$RGName = "MyResourceGroup";
PS C:\> $VMName = "MyTestVM";
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"

PS C:\> $AADClientID = "<clientID of your Azure AD app>";
PS C:\> $AADClientSecret = "<clientSecret of your Azure AD app>";
$AADClientID = "<clientID of your Azure AD app>"
$AADClientSecret = "<clientSecret of your Azure AD app>"

PS C:\> $VaultName= "MyKeyVault";
PS C:\> $KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName;
PS C:\> $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
PS C:\> $KeyVaultResourceId = $KeyVault.ResourceId;
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId

PS C:\> $KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
PS C:\> $KeyEncryptionKeyUrl = $KEK.Key.kid;
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid

PS C:\> Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId;
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $KeyEncryptionKeyUrl -KeyEncryptionKeyVaultId $KeyVaultResourceId
```

This example enables encryption using Azure AD client ID, client secret, and wrap disk encryption key by using the key encryption key.

### Example 4: Enable encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryptionkey by using key encryption key
```
PS C:\>$RGName = "MyResourceGroup";
PS C:\> $VMName = "MyTestVM";
$RGName = "MyResourceGroup"
$VMName = "MyTestVM"
#The KeyVault must have enabledForDiskEncryption property set on it
PS C:\> $VaultName= "MyKeyVault";
PS C:\> $KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName;
PS C:\> $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
PS C:\> $KeyVaultResourceId = $KeyVault.ResourceId;
PS C:\> $KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
PS C:\> $KeyEncryptionKeyUrl = $KEK.Key.kid;

PS C:\> # create Azure AD application and associate the certificate
PS C:\> $CertPath = "C:\certificates\examplecert.pfx";
PS C:\> $CertPassword = "Password";
PS C:\> $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword);
PS C:\> $KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData());
PS C:\> $AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert ;
PS C:\> $ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId;

PS C:\> $AADClientID = $AzureAdApplication.ApplicationId;
PS C:\> $AADClientCertThumbprint= $Cert.Thumbprint;
$VaultName= "MyKeyVault"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$KEK = Add-AzureKeyVaultKey -VaultName $VaultName -Name $KEKName -Destination "Software"
$KeyEncryptionKeyUrl = $KEK.Key.kid

# create Azure AD application and associate the certificate
$CertPath = "C:\certificates\examplecert.pfx"
$CertPassword = "Password"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPassword)
$KeyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
$AzureAdApplication = New-AzureRmADApplication -DisplayName "<Your Application Display Name>" -HomePage "<https://YourApplicationHomePage>" -IdentifierUris "<https://YouApplicationUri>" -KeyValue $KeyValue -KeyType AsymmetricX509Cert
$ServicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $AzureAdApplication.ApplicationId

$AADClientID = $AzureAdApplication.ApplicationId
$AADClientCertThumbprint= $Cert.Thumbprint

#Upload pfx to KeyVault
PS C:\> $KeyVaultSecretName = "MyAADCert";
PS C:\> $FileContentBytes = get-content $CertPath -Encoding Byte;
PS C:\> $FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes);
$JSONObject = @" { "data": "$filecontentencoded", "dataType" :"pfx", "password": "$CertPassword" } "@ ;
PS C:\> $JSONObjectBytes =
[System.Text.Encoding]::UTF8.GetBytes($JSONObject);$jsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes);
PS C:\> $Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force;
PS C:\> Set-AzureKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret;
PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment;
$KeyVaultSecretName = "MyAADCert"
$FileContentBytes = get-content $CertPath -Encoding Byte
$FileContentEncoded = [System.Convert]::ToBase64String($FileContentBytes)
$JSONObject = @"
{
"data" : "$filecontentencoded",
"dataType" : "pfx",
"password" : "$CertPassword"
}
"@
$JSONObjectBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONObject)
$JsonEncoded = [System.Convert]::ToBase64String($JSONObjectBytes)
$Secret = ConvertTo-SecureString -String $JSONEncoded -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $VaultName-Name $KeyVaultSecretName -SecretValue $Secret
Set-AzureRmKeyVaultAccessPolicy -VaultName $VaultName -ResourceGroupName $RGName -EnabledForDeployment

#deploy cert to VM
PS C:\> $CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
PS C:\> $SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
PS C:\> $VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
PS C:\> $VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
PS C:\> Update-AzureRmVM -VM $VM -ResourceGroupName $RGName
$CertUrl = (Get-AzureKeyVaultSecret -VaultName $VaultName -Name $KeyVaultSecretName).Id
$SourceVaultId = (Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName).ResourceId
$VM = Get-AzureRmVM -ResourceGroupName $RGName -Name $VMName
$VM = Add-AzureRmVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl
Update-AzureRmVM -VM $VM -ResourceGroupName $RGName

#Enable encryption on the virtual machine using Azure AD client ID and client cert thumbprint
PS C:\> Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId ;
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGname -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId
```

This example enables encryption using Azure AD client ID, client cert thumbprint, and wrap disk encryption key by using key encryption key.
Expand Down