Skip to content

Commit c914c93

Browse files
mestewmestew
committed
fixes https://github.com/MicrosoftDocs/azure-docs/issues/18164 for uploading BEK file as Key Vault secret
1 parent c281746 commit c914c93

File tree

1 file changed

+30
-1
lines changed

1 file changed

+30
-1
lines changed

articles/security/azure-security-disk-encryption-appendix.md

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ms.service: security
66
ms.subservice: Azure Disk Encryption
77
ms.topic: article
88
ms.author: mstewart
9-
ms.date: 09/10/2018
9+
ms.date: 11/06/2018
1010
---
1111

1212

@@ -546,6 +546,35 @@ When encrypting using an Azure AD app (previous release), the disk-encryption se
546546
### <a name="bkmk_SecretnoKEK"></a> Disk encryption secret not encrypted with a KEK
547547
To set up the secret in your key vault, use [Set-AzureKeyVaultSecret](/powershell/module/azurerm.keyvault/set-azurekeyvaultsecret). If you have a Windows virtual machine, the bek file is encoded as a base64 string and then uploaded to your key vault using the `Set-AzureKeyVaultSecret` cmdlet. For Linux, the passphrase is encoded as a base64 string and then uploaded to the key vault. In addition, make sure that the following tags are set when you create the secret in the key vault.
548548

549+
#### Windows BEK file
550+
```powershell
551+
# Change the VM Name, key vault name, and specify the path to the BEK file.
552+
$VMName ="MySecureVM"
553+
$BEKFilepath = "C:\test\BEK\E60CF855-1B47-4AE5-A70C-4FE6E8386AAA.BEK"
554+
$VeyVaultName ="MySecureVault"
555+
556+
# Get the name of the BEK file from the BEK file path. This will be a tag for the key vault secret.
557+
$BEKFileName = Split-Path $BEKFilepath -Leaf
558+
559+
# These tags will be added to the key vault secret so you can easily see which BEK file belongs to which VM.
560+
$tags = @{“MachineName” = “$VMName”;"DiskEncryptionKeyEncryptionAlgorithm" = "RSA-OAEP"; "DiskEncryptionKeyFileName" = "$BEKFileName"}
561+
562+
# Convert the BEK file to a Base64 string.
563+
$FileContentEncoded = [System.convert]::ToBase64String((Get-Content -Path $BEKFilepath -Encoding Byte))
564+
565+
# Create a new secret in the vault from the converted BEK file.
566+
# The file is converted to a secure string before import into the key vault
567+
568+
$SecretName = [guid]::NewGuid().ToString()
569+
$SecureSecretValue = ConvertTo-SecureString $FileContentEncoded -AsPlainText -Force
570+
$Secret = Set-AzureKeyVaultSecret -VaultName $VeyVaultName -Name $SecretName -SecretValue $SecureSecretValue -tags $tags
571+
572+
# Show the secret's URL and store it as a variable. This is used as -DiskEncryptionKeyUrl in Set-AzureRmVMOSDisk when you attach your OS disk.
573+
$SecretUrl=$secret.Id
574+
$SecretUrl
575+
```
576+
577+
#### Linux
549578
```powershell
550579
551580
# This is the passphrase that was provided for encryption during the distribution installation

0 commit comments

Comments
 (0)