Quickstart: Create and encrypt a Linux VM in Azure with Azure PowerShell
Applies to: ✔️ Linux VMs ✔️ Flexible scale sets
The Azure PowerShell module is used to create and manage Azure resources from the PowerShell command line or in scripts. This quickstart shows you how to use the Azure PowerShell module to create a Linux virtual machine (VM), create a Key Vault for the storage of encryption keys, and encrypt the VM. This quickstart uses the Ubuntu 16.04 LTS marketplace image from Canonical and a VM Standard_D2S_V3 size. However, any ADE supported Linux image version could be used instead of an Ubuntu VM.
If you don't have an Azure subscription, create a Trial before you begin.
Create a resource group
Create an Azure resource group with New-AzResourceGroup. A resource group is a logical container into which Azure resources are deployed and managed:
New-AzResourceGroup -Name "myResourceGroup" -Location "ChinaEast2"
Create a virtual machine
Create an Azure virtual machine with New-AzVM, passing to it the VM configuration object you created in the previous step.
$cred = Get-Credential
New-AzVM -Name MyVm -Credential $cred -ResourceGroupName MyResourceGroup -Image Canonical:UbuntuServer:18.04-LTS:latest -Size Standard_D2S_V3
It takes a few minutes for your VM to be deployed.
Create a Key Vault configured for encryption keys
Azure disk encryption stores its encryption key in an Azure Key Vault. Create a Key Vault with New-AzKeyvault. To enable the Key Vault to store encryption keys, use the -EnabledForDiskEncryption parameter.
Important
Every key vault must have a name that is unique across Azure. In the following examples, replace <your-unique-keyvault-name> with the name you choose.
New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location ChinaEast2 -EnabledForDiskEncryption
Encrypt the virtual machine
Encrypt your VM with Set-AzVmDiskEncryptionExtension.
Set-AzVmDiskEncryptionExtension requires some values from your Key Vault object. You can obtain these values by passing the unique name of your key vault to Get-AzKeyvault.
$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup"
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -SkipVmBackup -VolumeType All
After a few minutes the process will return the following:
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
True OK OK
You can verify the encryption process by running Get-AzVmDiskEncryptionStatus.
Get-AzVmDiskEncryptionStatus -VMName MyVM -ResourceGroupName MyResourceGroup
When encryption is enabled, you will see the following in the returned output:
OsVolumeEncrypted : EncryptionInProgress
DataVolumesEncrypted : NotMounted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage : OS disk encryption started
Clean up resources
When no longer needed, you can use the Remove-AzResourceGroup cmdlet to remove the resource group, VM, and all related resources:
Remove-AzResourceGroup -Name "myResourceGroup"
Next steps
In this quickstart, you created a virtual machine, created a Key Vault that was enable for encryption keys, and encrypted the VM. Advance to the next article to learn more about Azure Disk Encryption for Linux VMs.