This project will create three VMs, each with a different encryption customization:
- Customer-Managed Key (CMK-SSE)
- Azure Disk Encryption (ADE)
- Encryption at Host
Create the .auto.tfvars configuration file:
location = "eastus"
vm_size = "Standard_B2ms"Create the infrastructure:
terraform init
terraform apply -auto-approveEncryption will be performed with the Key Vault CMK key that is created.
Check the documentation for extension. The extensions installed does not support auto-update.
ℹ️ Notice that ADE have some few restrictions with VM types and memory allocated. Check this for production.
Terraform will add the AzureDiskEncryptionForLinux extension and ADE will be enabled for the VM.
Underlying encryption technology:
- Windows: BitLocker
- Linux: DM-Crypt + VFAT
Other restrictions:
- Basic and A-Series VMS are not supported
- Memory requirements (check docs for Windows and Linux)
- Does not currently support ephemeral disks
Encryption at Host is not supported with ADE and has other restrictions. Check this for production.
Keep in mind that to use Encryption at host, you have to enable the feature in the subscription:
# Register
az feature register --name EncryptionAtHost --namespace Microsoft.Compute
# Propagate
az provider register -n Microsoft.Compute
# Confirm
az feature show --name EncryptionAtHost --namespace Microsoft.ComputeDestroy the resources:
terraform destroy -auto-approve