Skip to content

Instantly share code, notes, and snippets.

@artisticcheese

artisticcheese/EncryptVMOSDisk.ps1 Secret

Created September 5, 2018 21:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save artisticcheese/d7c9f56b4aaaaab58a496591f07adfae to your computer and use it in GitHub Desktop.
Save artisticcheese/d7c9f56b4aaaaab58a496591f07adfae to your computer and use it in GitHub Desktop.
Download ZIP
Raw
EncryptVMOSDisk.ps1
param (
$VMName, $RGName, $KeyVaultName
)
Function ChangeEncryption{
param (
[Parameter(Mandatory=$true)]
$VMName,
[Parameter(Mandatory=$true)]
$RGName,
[Parameter(Mandatory=$true)]
$KeyVaultName)
$vm = Get-AzureRMVM -Name $VMName -ResourceGroupName $RGName
Write-Output "Stopping VM $($vm.Name)"
Stop-AzureRmVM -Name $VMName -ResourceGroupName $RGName -Force
$secretValue = Get-AzureKeyVaultSecret -VaultName $keyvaultName | Where-Object {$vm.Name -match $_.tags.MachineName }| where-object {$_.tags.VolumeLetter -match "C"}
$secretValue = Get-AzureKeyVaultSecret -VaultName $KeyVaultName -SecretName $secretValue.Name
Write-Output "Getting secrets from Vault"
$secretURL = $secretValue.Id
$secretID = (Get-AzureRmKeyVault -Name $KeyVaultName -ResourceGroupName $RGName).ResourceID
$OSdisk = Get-AzureRmDisk -ResourceGroupName $RGName -name $vm.StorageProfile.OsDisk.Name
$diskupdateconfig = New-AzureRmDiskUpdateConfig -EncryptionSettingsEnabled $true
$diskupdateconfig = Set-AzureRmDiskUpdateDiskEncryptionKey -DiskUpdate $diskupdateconfig -SecretUrl $secretURL -SourceVaultId $secretID
Write-Output "Updating OSDisk $($OsDisk.Name)"
Update-AzureRmDisk -DiskName $OSdisk.Name -ResourceGroupName $OSdisk.ResourceGroupName -DiskUpdate $diskupdateconfig
Set-AzureRmVMOSDisk -Vm $vm -ManagedDiskId $OSdisk.Id -CreateOption "Attach" -Windows -DiskEncryptionKeyURL $secretURL -DiskEncryptionKeyVaultID $secretID
Update-AzureRMVM -VM $vm -ResourceGroupName $vm.ResourceGroupName
Write-Output "Starting VM $($vm.Name)"
Start-AzureRmVM -Name $vm.Name -ResourceGroupName $RGName
}
"Logging in to Azure..."
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Add-AzureRMAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
"Selecting Azure subscription..."
Select-AzureRmSubscription -SubscriptionId $Conn.SubscriptionID -TenantId $Conn.tenantid
ChangeEncryption -VmName $Vmname -RGName $RGName -KeyVaultName $KeyVaultName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment