Azure disk encryption

src/Common/Commands.Common.Storage/Commands.Common.Storage.csproj

@@ -67,6 +67,10 @@
       <HintPath>..\..\packages\Microsoft.Azure.KeyVault.Core.1.0.0\lib\net40\Microsoft.Azure.KeyVault.Core.dll</HintPath>
       <Private>True</Private>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.Compute">
+      <HintPath>..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="Microsoft.Azure.Management.Storage, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\packages\Microsoft.Azure.Management.Storage.2.4.0-preview\lib\net40\Microsoft.Azure.Management.Storage.dll</HintPath>
       <Private>True</Private>

src/Common/Commands.Common.Storage/packages.config

@@ -5,6 +5,7 @@
   <package id="Microsoft.Azure.Common.Authentication" version="1.3.5-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.Azure.KeyVault.Core" version="1.0.0" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Compute" version="9.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.7-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Storage" version="2.4.0-preview" targetFramework="net45" />
   <package id="Microsoft.Bcl" version="1.1.9" targetFramework="net45" />

src/Common/Commands.Common/Commands.Common.csproj

@@ -70,6 +70,10 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\Microsoft.Azure.Common.2.1.0\lib\net45\Microsoft.Azure.Common.NetFramework.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.Compute">
+      <HintPath>..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\packages\Microsoft.Azure.Management.Resources.2.18.7-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>

src/Common/Commands.Common/packages.config

@@ -6,6 +6,7 @@
   <package id="Microsoft.Azure.Common" version="2.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Authentication" version="1.3.5-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Compute" version="9.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.7-preview" targetFramework="net45" />
   <package id="Microsoft.Bcl" version="1.1.9" targetFramework="net45" />
   <package id="Microsoft.Bcl.Async" version="1.0.168" targetFramework="net45" />

src/Common/Storage/Commands.Storage/Commands.Storage.csproj

@@ -61,6 +61,10 @@
       <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.Core.1.0.0\lib\net40\Microsoft.Azure.KeyVault.Core.dll</HintPath>
       <Private>True</Private>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.Compute">
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.18.7-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>

src/Common/Storage/Commands.Storage/packages.config

@@ -5,6 +5,7 @@
   <package id="Microsoft.Azure.Common.Authentication" version="1.3.5-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.Azure.KeyVault.Core" version="1.0.0" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Compute" version="9.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.7-preview" targetFramework="net45" />
   <package id="Microsoft.Bcl" version="1.1.9" targetFramework="net45" />
   <package id="Microsoft.Bcl.Async" version="1.0.168" targetFramework="net45" />

src/ResourceManager/Common/Commands.ResourceManager.Common/Commands.ResourceManager.Common.csproj

@@ -68,6 +68,10 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Common.2.1.0\lib\net45\Microsoft.Azure.Common.NetFramework.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.Compute">
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="Microsoft.IdentityModel.Clients.ActiveDirectory">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.IdentityModel.Clients.ActiveDirectory.2.18.206251556\lib\net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll</HintPath>

src/ResourceManager/Common/Commands.ResourceManager.Common/packages.config

@@ -6,6 +6,7 @@
   <package id="Microsoft.Azure.Common" version="2.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Authentication" version="1.3.5-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Compute" version="9.1.0" targetFramework="net45" />
   <package id="Microsoft.Bcl" version="1.1.9" targetFramework="net45" />
   <package id="Microsoft.Bcl.Async" version="1.0.168" targetFramework="net45" />
   <package id="Microsoft.Bcl.Build" version="1.0.14" targetFramework="net45" />

src/ResourceManager/Common/Commands.ScenarioTests.ResourceManager.Common/Commands.ScenarioTests.ResourceManager.Common.csproj

@@ -52,6 +52,10 @@
     <Reference Include="Microsoft.Azure.Common.NetFramework">
       <HintPath>..\..\..\packages\Microsoft.Azure.Common.2.1.0\lib\net45\Microsoft.Azure.Common.NetFramework.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.Compute">
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.18.7-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>

src/ResourceManager/Common/Commands.ScenarioTests.ResourceManager.Common/packages.config

@@ -4,6 +4,7 @@
   <package id="Microsoft.Azure.Common" version="2.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Authentication" version="1.3.5-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Compute" version="9.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.7-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.Framework" version="1.0.5772.15967-prerelease" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.HttpRecorder" version="1.0.5772.15967-prerelease" targetFramework="net45" />

src/ResourceManager/Compute/Commands.Compute.Test/Commands.Compute.Test.csproj

@@ -69,6 +69,7 @@
     <Reference Include="Microsoft.Azure.Management.Compute, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Network, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.cs

@@ -53,5 +53,13 @@ public void TestVirtualMachineAccessExtension()
         {
             ComputeTestController.NewInstance.RunPsTest("Test-VirtualMachineAccessExtension");
         }
+
+        [Fact(Skip = "TODO: only works for live mode")]
+        [Trait(Category.RunType, Category.LiveOnly)]
+        public void TestAzureDiskEncryptionExtension()
+        {
+            ComputeTestController.NewInstance.RunPsTest("Test-AzureDiskEncryptionExtension");
+        }
+
     }
 }

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

@@ -790,3 +790,138 @@ function Test-VirtualMachineAccessExtension
         Clean-ResourceGroup $rgname
     }
 }
+
+<#
+.SYNOPSIS
+Test AzureDiskEncryption extension
+#>
+function Test-AzureDiskEncryptionExtension
+{
+    # This test should be run in Live mode only not in Playback mode
+	#Pre-requisites to be filled in before running this test. The AAD app should belong to the directory as the user running the test.
+    $aadClientID = "";
+	$aadClientSecret = "";
+	#Fill in VM admin user and password
+	$adminUser = "";
+	$adminPassword = "";
+
+	#Resource group variables
+	$rgName = "detestrg";
+	$loc = "South Central US";
+
+	#KeyVault config variables
+	$vaultName = "detestvault";
+	$kekName = "dstestkek";
+
+	#VM config variables
+	$vmName = "detestvm";
+	$vmsize = 'Standard_D2';
+	$imagePublisher = "MicrosoftWindowsServer";
+	$imageOffer = "WindowsServer";
+	$imageSku ="2012-R2-Datacenter";
+
+	#Storage config variables
+	$storageAccountName = "deteststore";
+	$stotype = 'Standard_LRS';
+	$vhdContainerName = "vhds";
+    $osDiskName = 'osdisk' + $vmName;
+	$dataDiskName = 'datadisk' + $vmName;
+    $osDiskCaching = 'ReadWrite';
+
+	#Network config variables
+	$vnetName = "detestvnet";
+	$subnetName = "detestsubnet";
+	$publicIpName = 'pubip' + $vmName;
+	$nicName = 'nic' + $vmName;
+
+
+	#Disk encryption variables
+	$keyEncryptionAlgorithm = "RSA-OAEP";
+	$volumeType = "All";
+
+    try
+    {
+        Login-AzureRmAccount;
+        # Create new resource group      
+        New-AzureRmResourceGroup -Name $rgname -Location $loc -Force;
+
+		# Create new KeyVault
+		$keyVault = New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname -Location $loc -Sku standard;
+		$keyVault = Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname
+		#set enabledForDiskEncryption
+        Write-Host 'Press go to https://resources.azure.com and set enabledForDiskEncryption flag on KeyVault. [ENTER] to continue or [CTRL-C] to abort...'
+        Read-Host
+		#set permissions to AAD app to write secrets and keys
+		Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all 
+		#create a key in KeyVault to use as Kek
+		$kek = Add-AzureKeyVaultKey -VaultName $vaultName -Name $kekName -Destination "Software"
+
+		$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
+		$keyVaultResourceId = $keyVault.ResourceId;
+		$keyEncryptionKeyUrl = $kek.Key.kid;
+
+        # VM Profile & Hardware   
+        $p = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;
+
+        # NRP
+        $subnet = New-AzureRmVirtualNetworkSubnetConfig -Name ($subnetName) -AddressPrefix "10.0.0.0/24";
+        $vnet = New-AzureRmVirtualNetwork -Force -Name ($vnetName) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
+        $vnet = Get-AzureRmVirtualNetwork -Name ($vnetName) -ResourceGroupName $rgname;
+        $subnetId = $vnet.Subnets[0].Id;
+        $pubip = New-AzureRmPublicIpAddress -Force -Name ($publicIpName) -ResourceGroupName $rgname -Location $loc -AllocationMethod Dynamic -DomainNameLabel ($publicIpName);
+        $pubip = Get-AzureRmPublicIpAddress -Name ($publicIpName) -ResourceGroupName $rgname;
+        $pubipId = $pubip.Id;
+        $nic = New-AzureRmNetworkInterface -Force -Name ($nicName) -ResourceGroupName $rgname -Location $loc -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
+        $nic = Get-AzureRmNetworkInterface -Name ($nicName) -ResourceGroupName $rgname;
+        $nicId = $nic.Id;
+
+        $p = Add-AzureRmVMNetworkInterface -VM $p -Id $nicId;
+
+        # Storage Account (SA)
+        New-AzureRmStorageAccount -ResourceGroupName $rgname -Name $storageAccountName -Location $loc -Type $stotype;
+        $stokey = (Get-AzureRmStorageAccountKey -ResourceGroupName $rgname -Name $storageAccountName).Key1;
+
+        $osDiskVhdUri = "https://$storageAccountName.blob.core.windows.net/$vhdContainerName/$osDiskName.vhd";
+        $dataDiskVhdUri = "https://$storageAccountName.blob.core.windows.net/$vhdContainerName/$dataDiskName.vhd";
+
+        $p = Set-AzureRmVMOSDisk -VM $p -Name $osDiskName -VhdUri $osDiskVhdUri -Caching $osDiskCaching -CreateOption FromImage;
+        $p = Add-AzureRmVMDataDisk -VM $p -Name $dataDiskName -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
+
+        # OS & Image
+        $securePassword = ConvertTo-SecureString $adminPassword -AsPlainText -Force;
+        $cred = New-Object System.Management.Automation.PSCredential ($adminUser, $securePassword);
+        $computerName = $vmName;
+        $vhdContainer = "https://$storageAccountName.blob.core.windows.net/$vhdContainerName";
+
+        $p = Set-AzureRmVMOperatingSystem -VM $p -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent;
+        $p = Set-AzureRmVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest";
+
+
+        # Virtual Machine
+        New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
+
+		#Enable encryption on the VM
+        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+        #Remove AzureDiskEncryption extension
+        Remove-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName;
+
+        #Remove the VM 
+        Remove-AzureRmVm -ResourceGroupName $rgname -Name $vmName -Force;
+
+        #Create a brand new VM using the same OS vhd encrypted above
+        $p.StorageProfile.ImageReference = $null;
+        $p.OSProfile = $null;
+        $p.StorageProfile.DataDisks = $null;
+        $p = Set-AzureRmVMOSDisk -VM $p -Name $p.StorageProfile.OSDisk.Name -VhdUri $p.StorageProfile.OSDisk.VirtualHardDisk.Uri -Caching ReadWrite -CreateOption attach -DiskEncryptionKeyUrl $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl -DiskEncryptionKeyVaultId $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault.ReferenceUri -Windows;
+
+        New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
+
+    }
+    finally
+    {
+        # Cleanup
+        Remove-AzureRmResourceGroup -Name $rgname -Force;
+    }
+}

src/ResourceManager/Compute/Commands.Compute/Commands.Compute.csproj

@@ -204,6 +204,19 @@
     <Compile Include="ExtensionImages\GetAzureVMExtensionImageTypeCommand.cs" />
     <Compile Include="ExtensionImages\GetAzureVMExtensionImageCommand.cs" />
     <Compile Include="ExtensionImages\VirtualMachineExtensionImageBaseCmdlet.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionContext.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionProtectedSettings.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionPublicSettings.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\GetAzureDiskEncryptionStatus.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\RemoveAzureDiskEncryptionExtension.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\SetAzureDiskEncryptionExtension.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupExtensionUtil.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupException.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupExtensionProtectedSettings.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupExtensionPublicSettings.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupConfig.cs" />
+    <Compile Include="Extension\AzureVMBackup\RemoveAzureVMBackup.cs" />
+    <Compile Include="Extension\AzureVMBackup\SetAzureVMBackupExtension.cs" />
     <Compile Include="Extension\CustomScript\GetAzureVMCustomScriptExtensionCommand.cs" />
     <Compile Include="Extension\CustomScript\CustomScriptExtensionPrivateSettings.cs" />
     <Compile Include="Extension\CustomScript\CustomScriptExtensionPublicSettings.cs" />
@@ -239,6 +252,7 @@
     <Compile Include="Extension\SqlServer\VirtualMachineSqlServerExtensionContext.cs" />
     <Compile Include="Images\GetAzureVMImageCommand.cs" />
     <Compile Include="Common\HashTableExtensions.cs" />
+    <Compile Include="Models\AzureDiskEncryptionStatusContext.cs" />
     <Compile Include="Models\PSComputeLongRunningOperation.cs" />
     <Compile Include="Models\PSOperation.cs" />
     <Compile Include="Extension\VMAccess\GetAzureVMAccessExtension.cs" />

src/ResourceManager/Compute/Commands.Compute/Common/ConstantStringTypes.cs

@@ -114,5 +114,14 @@ public static class ProfileNouns
 
         // Sql Server
         public const string VirtualMachineSqlServerExtension = "AzureRmVMSqlServerExtension";
+
+        //AzureDiskEncryption
+        public const string AzureDiskEncryptionExtension = "AzureRmVMDiskEncryptionExtension";
+        public const string AzureDiskEncryptionStatus = "AzureRmVMDiskEncryptionStatus";
+
+        //AzureVMBackup
+        public const string AzureVMBackup = "AzureRmVMBackup";
+        public const string AzureVMBackupExtension = "AzureRmVMBackupExtension";
+
     }
 }