[SOLVED] How to iterate through each disk associated with Azure VM and get the encryption status using PowerShell?

How to iterate through each disk associated with Azure VM and get the encryption status using PowerShell?

I want to first get the list of disks associated with a VM and then iterate through each disk properties to identify if the disk is Customer Managed Key(CMK) encrypted or not. How to perform this check using Azure PowerShell?

Solution

Generally, To get the encryption status of the virtual machine, you can use the Get-AzVMDiskEncryptionStatus cmdlet with the following syntax:

Get-AzVmDiskEncryptionStatus -ResourceGroupName $resourceGroupName -VMName $vmName

You will see the encryption status of the operating system and the data volumes.

If the above OsVolumeEncrypted or DataVolumesEncrypted displayed Encrypted, you probably have osDisk or dataDisk encrypted with CMK.

You also could capture the encryption settings from each disk by using the following PowerShell commands. For more details, you could read this article.

RGNAME="RGNAME"
VMNAME="VNAME"

$VM = Get-AzVM -Name $VMNAME -ResourceGroupName $RGNAME  
 $Sourcedisk = Get-AzDisk -ResourceGroupName $RGNAME -DiskName $VM.StorageProfile.OsDisk.Name
 Write-Host "============================================================================================================================================================="
 Write-Host " OS disk Encryption Settings:"
 Write-Host "============================================================================================================================================================="
 Write-Host "Enabled:" $Sourcedisk.EncryptionSettingsCollection.Enabled
 Write-Host "Version:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettingsVersion
 Write-Host "Source Vault:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SourceVault.Id
 Write-Host "Secret URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl
 Write-Host "Key URL:" $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl
 Write-Host "============================================================================================================================================================="

 foreach ($i in $VM.StorageProfile.DataDisks| ForEach-Object{$_.Name})
 {
 Write-Host "============================================================================================================================================================="
 Write-Host "Data Disk Encryption Settings:"
 Write-Host "============================================================================================================================================================="
 Write-Host "Checking Disk:" $i
 $Sourcedisk=(Get-AzDisk -ResourceGroupName $RGNAME -DiskName $i)
 Write-Host "Encryption Enable: " $Sourcedisk.EncryptionSettingsCollection.Enabled
 Write-Host "Encryption KeyEncryptionKey: " $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.KeyEncryptionKey.KeyUrl;
 Write-Host "Encryption DiskEncryptionKey: " $Sourcedisk.EncryptionSettingsCollection.EncryptionSettings.DiskEncryptionKey.SecretUrl;
 Write-Host "============================================================================================================================================================="
 }