Azure Disk Encryption and Azure Backup
If you are looking to use Azure Disk Encryption and Azure Backup you need to follow a couple of additional steps to the standard encryption procedure.
The offical documentation can be found below:
- Encrypt an Azure Virtual Machine Please note this will only encrypt the machine with BEK (BitLocker Encryption Key). This is not supported by Azure Backup.
- Azure Disk Encryption for Windows and Linux IaaS VMs This procedure shows you how to enable and use a Key Encryption Key, that enables Azure Backup to work with BEK encrypted machines.
How it works
There are two types of encryption keys to consider.
- BEK – Bit Locker Encryption Key
- KEK – Key Encryption Key
The encryption service uses Key Vault to manage the secrets, to do this we need an application in Azure AD that has permissions (Set by a Key Vault Access Policy) to operate inside of Key Vault.
This is used if you are just using BEK or setting up KEK for Azure Backup support.
For KEK a Key must be imported or created in the Key Vault. You reference this key when running the commands.
Finally, the Backup Management Service needs permissions to access the Key Vault and the keys.
Procedure
Please note: You will need a Key Vault before you can complete this procedure. The Key Vault must be in the same region as the VM that will be encrypted.
1. Set up an Azure AD Application
In Azure Active Directory, select App registrations and create a new app registration. Enter a Name, select Web app / API and assign a sign-on URL (you will not use this so a default entry is adequate).
Image 2: App Registration in Azure Active Directory
Make a note of the Application ID and create and take note of the application Key. Please note that the Key will only be available to you after it is saved and only once on the page. After that it will be hidden.
2. Configure the permissions in the Key Vault for the new Azure AD Application
In the Key Vault set up an Access Policy for the new application.
    
Image 3: Setting up permissions in the Key Vault (an Access Policy)
Key Permissions need to be set to Wrap Key, Secret permissions to Set.
Image 4: Setting the Key Vault Access Policy for the Azure AD Application
3. Create a Key in Key Vault
This will be the key used to wrap the BEK, also known as the KEK
Image 5: Creating the KEK
4. Set permissions for the Backup Management Service
Select Access Policies and from the template select Azure Backup. The principal will be Backup Management Service.
   
Image 6: Creating the Access Policy for the Backup Management Service
5. Check the Advanced access policies to enable access to Azure Disk Encryption for volume encryption.
Image 7: Setting the Advanced Access policies for Disk Encryption
PowerShell commands for an existing VM
subscriptionName = "SUBSCRIPTION NAME" $RGName = "RESOURCE GROUP NAME" $VMName = "VM NAME" $AADClientID = "AZURE AD APPLICATION ID" $AADClientSecret = "AZURE AD APPLICATION SECRET" $VaultName= "KEY VAULT NAME" $keyName = "KEY NAME" $keyEncryptionKeyUri = Get-AzureKeyVaultKey -VaultName $VaultName -KeyName $keyName $KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri $KeyVaultResourceId = $KeyVault.ResourceId Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $vmName - AadClientID $AADClientID -AadClientSecret $AADClientSecret - DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUri.Id - KeyEncryptionKeyVaultId $keyVaultResourceId
Disclaimer:  Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.
