Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). By using Azure Disk Encryption, we can encrypt disks within the guest VM. If the guest VM is running Windows OS, Azure Disk Encryption will use BitLocker. If the guest VM is running Linux, it will be depending on DM-Crypt to encrypt virtual disks. But with Server-Side Encryption (SSE) we can encrypt any OS disk/data disk at the storage service level.
By default, Azure Managed disks are encrypted using 256-bit AES encryption. It is FIPS 140-2 compliant. For this, the system uses platform-managed encryption keys. But for compliance requirements, the organization may want to manage its own encryption keys. These keys are called Customer Managed Keys (CMK). In here, instead of the platform, it is the customer’s responsibility to create, import, delete encryption keys. We can use CMK to encrypt managed disk using Azure Disk Encryption or Server-Side Encryption (SSE). In both methods, we have to use the Azure Key Vault to store the encryption keys. A Key vault admin can either import their own RSA keys or generate new RSA keys in the key vault to use with encryption.
When we using Customer Managed Keys (CMK) we need to consider the following,
1. If the CMK feature is enabled for a disk, it can’t be disabled. If you need you can copy data to a new disk without CMK.
2. Only supported Software and HSM RSA keys with 2048 bit, 3072 bit, and 4096-bit sizes.
3. Managed disk created from custom image or snapshot which is encrypted using SSE & CMK must use same CMK to encrypt.
4. All resources related to CMK such as Azure key vault, DisKEncryptionSet, VMs, Managed Disks must use the same subscription and region.
5. Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using CMK.
Before we go ahead with configurations let’s see how Server-Side Encryption (SSE) works with Customer Managed Keys (CMK).
1. Admin creates DisKEncryptionSet resource with Azure Key Vault ID and a key URL. This will also create a system-assigned managed identity in Azure Active Directory.
2. Then Azure Key Vault Admin grant permission to this managed identity to perform activities in the relevant key vault.
3. As the next step, VM user can create or associate existing managed disks with DisKEncryptionSet and enable Server-Side Encryption (SSE)
4. Managed disks use system-assigned managed identity in Azure Active Directory to access Key vault
5. Managed disks send a request to Key vault to encrypt or decrypt Data Encryption Key (DEK) to use it with data encryption or decryption.
Let’s go ahead and see how we can use SSE and CMK for managed disk encryption.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Setup Azure Resource Group
The first step of the configuration is to create a new resource group.
To do that,
Launch PowerShell console and connect to Azure using Connect-AzAccount
Then create a new resource group using,
New-AzResourceGroup -Name REBELRG1 -Location “East US”
In the above, REBELRG1 is the resource group name and East US is the resource group location.
Setup Azure Key Vault
Next, we need to create a new key vault and encryption key.
As the first step, let’s go ahead and enable Azure Key Vault provider within the subscription by using,
Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”
Then, let’s go ahead with Azure Vault setup,
$rkv = New-AzKeyVault -VaultName REBELVMKV1 -Location “East US” -ResourceGroupName REBELRG1 -EnablePurgeProtection
In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group. –EnablePurgeProtection parameter is used to ensure a deleted key from the vault cannot be permanently deleted until it passes the retention period. This option adds extra protection to keys used inside the vault. This must be enabled otherwise the encryption will fail.
As the next step, we need to create an access policy so currently logged-in user can create encryption keys.
Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV1 -ObjectId xxxxxxxxxxxxxxxx -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru
In the above -Objectid value should replace with the actual objectid value of the currently logged in the global admin account. Here -PermissionsToKeys define the permissions allocated for keys and -PermissionsToSecrets defines the permissions allocated for secrets.
Next, we need a new encryption key to use with disk encryption.
$vk1 = Add-AzKeyVaultKey -VaultName REBELVMKV1 -Name “REBELVMKey” -Destination “Software”
In the above, REBELVMKey is the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost. [Read more…] about Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)