Skip to content

epomatti/az-vm-disk-encryption

Repository files navigation

Azure VM Disk Encryption

This project will create three VMs, each with a different encryption customization:

  • Customer-Managed Key (CMK-SSE)
  • Azure Disk Encryption (ADE)
  • Encryption at Host

Create the .auto.tfvars configuration file:

location = "eastus"
vm_size  = "Standard_B2ms"

Create the infrastructure:

terraform init
terraform apply -auto-approve

Customer-Managed Key (CMK-SSE)

Encryption will be performed with the Key Vault CMK key that is created.

Azure Disk Encryption (ADE)

Check the documentation for extension. The extensions installed does not support auto-update.

ℹ️ Notice that ADE have some few restrictions with VM types and memory allocated. Check this for production.

Terraform will add the AzureDiskEncryptionForLinux extension and ADE will be enabled for the VM.

Underlying encryption technology:

  • Windows: BitLocker
  • Linux: DM-Crypt + VFAT

Other restrictions:

  • Basic and A-Series VMS are not supported
  • Memory requirements (check docs for Windows and Linux)
  • Does not currently support ephemeral disks

Encryption at Host

Encryption at Host is not supported with ADE and has other restrictions. Check this for production.

Keep in mind that to use Encryption at host, you have to enable the feature in the subscription:

# Register
az feature register --name EncryptionAtHost  --namespace Microsoft.Compute

# Propagate
az provider register -n Microsoft.Compute

# Confirm
az feature show --name EncryptionAtHost --namespace Microsoft.Compute

Clean-up

Destroy the resources:

terraform destroy -auto-approve