There are multiple ways to encrypt the machines to make them secure. Azure provides the solution by itself to make them encrypt the operating system and virtual machine disk to make them secure. The policy "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" was faced by me when I used ISO 27001:2013 in my project. So Here I will give you the solution to solve this policy using portal/bicep and also what condition are required.
The following project will help you to solve the following queries:
- How to implement encryption on Azure Linux Virtual Machines OS and Disks using Portal?
- How to implement encryption on Azure Linux Virtual Machines OS and Disks using Bicep?
- How to implement encryption on Azure Linux Virtual Machines OS and Disks using ARM Templates?
- How to resolve "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" Policy?
Requirement
To implement the policy there are multiple ways but we will discuss here the use of portal and bicep. So to implement the encryption just make sure the following two setting:
- Encryption at host
- Enable Ultra Disk Compatibility
- Azure Disk Encryption for Volume Encryption
Azure Disk Encryption for Volume Encryption
- Make sure this setting is enabled.
Encryption at host, Enable Ultra Disk Compatibility
Method 1: Disable during creation of Virtual Machines
Method 2: Disable after Creation of Virtual Machines
- Turn off the Virtual Machine
- Go to the following directory:
- VM > Disks > Additional Settings
- Disable Both of these options.
Implementation
To implement the OS Disk, you can use both the portal and bicep.
Portal: To implement the solution using portal go to the following window and then add it.
Note: To implement it just make sure virtual machine is running
- To implement the solution go to the following window and open the addition setting:
- Then select the key from key vault which you will have to generate in key vault
Bicep: To implement the solution using bicep
- Add the following extension with some parameters.
@description('Encryption of VM Disk')resource dikskEncrypt 'Microsoft.Compute/virtualMachines/extensions@2018-10-01' = {name: 'AzureDiskEncryptionForLinux'parent: virtualMachinelocation: locationproperties: {publisher: 'Microsoft.Azure.Security'type: 'AzureDiskEncryptionForLinux'typeHandlerVersion: '1.1'autoUpgradeMinorVersion: trueforceUpdateTag: '1.0'settings: {EncryptionOperation: 'EnableEncryption'KeyVaultURL: '<Enter Keyvault URL Here>'KeyVaultResourceId: '<Enter Keyvault Resource ID>'KeyEncryptionAlgorithm: 'RSA-OAEP'VolumeType: 'All'KeyEncryptionKeyURL: '<Enter Keyvault URL with version>'KekVaultResourceId: '<Enter Keyvault Resource ID>'SequenceVersion: '<Enter Sequence Version: Detail>'}}}
- The bicep has some parameters which needs to be enter, for "KeyEncryptionKeyURL" the url should be in this following format.
That's all to do the job. Keep me update in case you find the issue. 🙂
Post a Comment