Ran into an issue trying to encrypt the disks of a new VM in Azure. After running the cmdlet to encrypt the disks the vm would reboot and then Azure would stop it. Never figured out why, I ended up rebuilding it with new disks and creating a new script from a different Azure doc. Such is life in the cloud. Also, I don’t know what I’m doing. This script creates a new keyvault, new AAD service principle, and then encrypts an existing VM. Make sure to replace the variables.

#Login and select your subscription
Select-AzureRmSubscription -SubscriptionName "Meh"

#Create KeyVault
$rgName = "meh"
$location = "meh"
Register-AzureRmResourceProvider -ProviderNamespace "Microsoft.KeyVault"
$keyVaultName = "meh"
New-AzureRmKeyVault -Location $location `
-ResourceGroupName $rgName `
-VaultName $keyVaultName `
Add-AzureKeyVaultKey -VaultName $keyVaultName `
-Name "meh" `
-Destination "Software"

#Create AAD service principal
$appName = "meh"
$securePassword = "SuperSecretStrongM3h"
$app = New-AzureRmADApplication -DisplayName $appName `
-HomePage "https://meh.meh.com" `
-IdentifierUris "https://meh.com/meh" `
-Password $securePassword
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvaultName `
-ServicePrincipalName $app.ApplicationId `
-PermissionsToKeys "WrapKey" `
-PermissionsToSecrets "Set"

#Encrypt VM
$vmName = "meh-vm"
$keyname = "meh-kv-secret"
$keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultResourceId = $keyVault.ResourceId;
$keyEncryptionKeyUrl = (Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyname).Key.kid;

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgName `
-VMName $vmName `
-AadClientID $app.ApplicationId `
-AadClientSecret $securePassword `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $keyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $keyVaultResourceId

Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgName -VMName $vmName

