Skip to content

ahmadmsft/ade-cli-getting-started

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
adeprereq.sh
adeprereq.sh
 
 
validate-efa.sh
validate-efa.sh
 
 
validate.sh
validate.sh
 
 
verify.sh
verify.sh
 
 

Repository files navigation

ade-cli-getting-started

This script is designed to make it easier for anyone using the Azure CLI on Linux to enable Azure Disk Encryption (ADE) on Azure VM's by demonstrating how to automate the creation of the necessary prerequisites.

Operating environment

Important notes

Be aware this script will create resources in your current default subscription. To avoid polluting the wrong subscription with these resources, it is suggested to quickly check and make sure the correct subscription is being used:

azure account show

For tight control over how and where each disk encryption prerequisite will be created, several parameters are available. A detailed description of each parameter is available using the help option:

./adeprereq.sh --help

Quick Start

If the subscription is correct, and ready for all prerequisites to be added, no parameters are required:

./adeprereq.sh

As the script executes it will output each resource that it has created and its identifier. It also logs these values in a uniquely named subdirectory for future use. To restore these values as environment variables, navigate into that directory and run the following command:

source ./ade_env.sh

The prerequisite environment variables (all starting with the prefix ADE) are now available for use in bash. Various disk encryption scenarios can be experimented with.

Create a VM

One thing the script does not do for you is create a test VM to be encrypted. To continue with the below scenarios, please create a VM that uses a supported operating system type, matches the same region as the Key Vault ($ADE_LOCATION) and that resides in the same resource group ($ADE_RG_NAME).

If you'd like, save the name of this VM into the following environment variable:

ADE_VM_NAME=your-new-vm-name-here

To enable disk encryption, a secret key must be provided to the VM. This key can be represented in the form of a client secret (password string), or an X509 certificate. The enable disk encryption command will accept either one of these. The prerequisite script creates one of each so you can experiment with either scenario, but you will only use one or the other when actually enabling disk encryption. Here are are some example steps to demonstrate both of these approaches using the values generated by the prerequisite script:

Client secret scenario

The client secret is a password in string format that is stored in the subfolder and also can be made available as an environment variable that can be passed as a parameter to the command. On throwaway test resources used for short lived demonstrations or experimentation, this risk may be acceptable. In a production environment, this may not be acceptable. In either case, tight control over the creation, storage, and future access to this secret is warranted.

azure vm enable-disk-encryption --resource-group $ADE_RG_NAME --name $ADE_VM_NAME --aad-client-id $ADE_ADSP_APPID --aad-client-secret $ADE_ADAPP_SECRET --disk-encryption-key-vault-url $ADE_KV_URL --disk-encryption-key-vault-id $ADE_KV_ID --volume-type All

Self-signed certificate demo

In addition to client secret, this script creates a self-signed certificate within keyvault that is then deployed to the virtual machine. The virtue of this technique is that the secret is never handled by the administrator running the script, it is not stored on the administrative console, and it is only referred to by its thumbprint.

To enable encryption on remote VM's using certificates instead of client secrets, there are two main steps.

First, add the self-signed certificate that lives in keyvault to the VM that you are targeting. This is slightly different if the target is Windows or Linux.

# Windows target (includes the -t My option to designate certificate store)
azure vm secret add -g $ADE_RG_NAME -n $ADE_VM_NAME -r $ADE_KV_ID -c $ADE_KV_CERT_SID -t My -s $ADE_SUBSCRIPTION_ID# Linux target (no -t option required)
azure vm secret add -g $ADE_RG_NAME -n $ADE_VM_NAME -r $ADE_KV_ID -c $ADE_KV_CERT_SID -s $ADE_SUBSCRIPTION_ID

(note: targeting Windows may require using the most recent dev branch of the CLI to work properly)

Second, now that the certificate resides on the VM, disk encryption can be started in a way that only requires passing the thumbprint of that certificate (no secrets involved).

azure vm enable-disk-encryption --resource-group $ADE_RG_NAME --name $ADE_VM_NAME --aad-client-id $ADE_ADSP_APPID --aad-client-cert-thumbprint $ADE_KV_CERT_THUMB --disk-encryption-key-vault-url $ADE_KV_URL --disk-encryption-key-vault-id $ADE_KV_ID --volume-type All

More information

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%