- Knowledge Base
- Microsoft Azure
- Virtual Machines
- Use BYOK for Disk Volumes Encryption
Ensure that your Azure virtual machine disk volumes are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for disk encryption), in order to have a more granular control over your VM data encryption/decryption process.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When you create and use your own customer-managed keys with Azure VM disk volumes, you gain full control over who can use the encryption keys and who can access the data encrypted on your volumes.
Audit
To determine if your Azure virtual machine disk volumes are encrypted with customer-managed keys, perform the following actions:
Using Azure Console
01 Sign in to Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.
03 Choose the Azure subscription that you want to access from the Subscription filter box.
04 From the Type filter box, select Virtual machine to list the virtual machines (VMs) deployed within the selected subscription.
05 Click on the name of the virtual machine that you want to examine.
06 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected Azure VM.
07 On the Disks overview page, check the encryption status set for each disk volume attached, available in the Encryption column. If the encryption status is set to Not enabled, the attached disk volumes are not encrypted, therefore you can follow the steps outlined in this conformity rule to enable encryption at rest. If the status is set to Enabled, continue the audit process with the next step.
08 Click on Encryption button from the panel main menu to access the encryption configuration settings for the disk volumes attached.
09 On the Encryption page, check the Key and the Version configuration fields. If these fields are empty, the Azure Disk Encryption (ADE) service is using a service-managed key instead of a customer-managed key (i.e. Bring Your Own Key - BYOK) to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.
10 Repeat steps no. 5 – 9 for each Azure virtual machine available in the selected subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned in the current subscription:
az vm list --query '[*].id'
02 The command output should return the requested resource identifiers (IDs):
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm", "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-development-vm" ]
03 Run vm encryption show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter to describe the encryption key used for encrypting the disk volume(s) attached to the selected virtual machine:
az vm encryption show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm" --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl[]'
04 The command output should return the requested configuration metadata:
[]
If the command output returns the following message: "Azure Disk Encryption is not enabled", the attached disk volumes are not encrypted, therefore you can follow the steps outlined in this conformity rule to enable encryption at rest. If the vm encryption show command output returns an empty array (i.e. []), as shown in the example above, the disk volumes attached to the selected Microsoft Azure virtual machine are encrypted using a service-managed key instead of a customer-managed key (BYOK) to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.
05 Repeat step no. 3 and 4 for each Azure virtual machine launched in the current subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.
Remediation / Resolution
To configure Azure Disk Encryption (ADE) service to encrypt your Azure virtual machine disk volumes using your own customer-managed key (also known as Bring Your Own Key - BYOK), perform the following actions:
Note: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.Using Azure Console
01 Sign in to Azure Management Console.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults and click + Add to create the Azure Key Vault that will store the customer-managed key (BYOK).
03 On the Create key vault page, perform the following:
- On the Basics panel, choose the appropriate subscription, provide a unique name for the new key vault, then select the Azure region and the resource group where the vault will be deployed. Click Next : Access policy > to continue.
- On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure Disk Encryption to retrieve secrets from the vault and unwrap encryption keys. Click Next : Virtual network > to continue the vault setup process.
- On the Virtual network panel, configure the network access control for the new key vault. Click Next : Tags > to continue.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Click Next : Review + create > to continue the setup.
- On the Review + create panel, review the resource configuration details, then click Create to create your new Azure Key Vault.
04 Click on the name of the newly created Microsoft Azure Key Vault.
05 In the navigation panel, under Settings, select Keys, then click Generate/Import button to create the customer-managed key required for VM disk volumes encryption.
06 On the Create a key panel, in the Name box, provide a unique name for your new encryption key, choose an activation and/or expiration date for the resource, then click Create to generate your new customer-managed key (BYOK).
07 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.
08 Choose the Azure subscription that you want to access from the Subscription filter box.
09 From the Type filter box, select Virtual machine to list the virtual machines provisioned in the selected subscription.
10 Click on the name of the virtual machine that you want to reconfigure (see Audit section part II to identify the right VM).
11 In the navigation panel, under Settings, select Disks to access the disk volumes attached to the selected Azure VM.
12 On the Disks page, click Encryption to access the encryption configuration settings for the attached volumes.
13 On the Encryption page, select OS and data disks from Disks to encrypt dropdown list and use Select a key vault and key for encryption link to select the Azure Key Vault and the BYOK encryption key created earlier in the remediation process. Click Save to apply the configuration changes and enable disk encryption with BYOK. Azure Disk Encryption (ADE) service will use the new customer-managed key to encrypt the disk volumes attached to the selected Microsoft Azure virtual machine.
14 If required, repeat steps no. 10 – 13 for other virtual machines (VMs) available in the selected subscription.
15 Repeat steps no. 2 – 14 for each subscription created in your Microsoft Azure cloud account.
Using Azure Console
01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (BYOK) will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support:
az keyvault create --name cc-prod-key-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enable-soft-delete true --enable-purge-protection true --enabled-for-disk-encryption true
02 The command output should return the configuration metadata for the newly created Azure Key Vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "location": "westeurope", "name": "cc-prod-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover" ], "keys": [ "get", "create", "delete", "list", "update", "import", "backup", "restore", "recover" ], "secrets": [ "get", "list", "set", "delete", "backup", "restore", "recover" ], "storage": [ "get", "list", "delete", "set", "update", "regeneratekey", "setsas", "listsas", "getsas", "deletesas" ] }, "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": true, "enabledForTemplateDeployment": null, "networkAcls": null, "provisioningState": "Succeeded", "sku": { "name": "standard" }, "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-prod-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "tags": {}, "type": "Microsoft.KeyVault/vaults" }
03 Run keyvault key create command (Windows/macOS/Linux) to create the customer-managed key (Bring Your Own Key - BYOK), required to encrypt your Azure virtual machine disk volume(s):
az keyvault key create --name cc-prod-byok-key --vault-name cc-prod-key-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2020-10-29T10:30:00Z" --protection software --disabled false
04 The command output should return the configuration metadata for the new encryption key:
{ "attributes": { "created": "2019-10-29T12:55:52+00:00", "enabled": true, "expires": "2020-10-29T10:30:00+00:00", "notBefore": null, "recoveryLevel": "Purgeable", "updated": "2019-10-29T12:55:52+00:00" }, "key": { "crv": null, "d": null, "dp": null, "dq": null, "e": "AQAB", "k": null, "keyOps": [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey" ], "kid": "https://cc-prod-key-vault.vault.azure.net/keys/cc-prod-byok-key/abcdabcdabcdabcdabcdabcdabcdabcd", "kty": "RSA", "n": " ... ", "p": null, "q": null, "qi": null, "t": null, "x": null, "y": null }, "managed": null, "tags": null }
05 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure (see Audit section part II to identify the right VM) as identifier parameter, to enable encryption at rest for the disk volume(s) attached to the selected virtual machine, using the customer-managed key (i.e. BYOK) created at the previous steps:
az vm encryption enable --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm" --disk-encryption-keyvault cc-prod-key-vault --key-encryption-key cc-prod-byok-key --key-encryption-keyvault cc-prod-key-vault --volume-type ALL
06 If the command request was successful, the command output should return a confirmation message, such as:
The encryption request was accepted. Please use 'show' command to monitor the progress.
07 Run vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured Azure virtual machine (VM) as identifier parameter to confirm the encryption status by listing the URL of the customer-managed key used for disk volumes encryption:
az vm encryption show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm" --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl[]'
08 The command output should return the requested customer-managed key (BYOK) URL:
[ "https://cc-prod-key-vault.vault.azure.net/keys/cc-prod-byok-key/abcdabcdabcdabcdabcdabcdabcdabcd" ]
09 If required, repeat steps no. 5 – 8 for other Azure virtual machines available within the selected subscription.
10 Repeat steps no. 1 – 9 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- Virtual Machine series
- Azure Disk Encryption for Linux VMs
- Azure Disk Encryption for Linux VMs
- Quickstart: Create and encrypt a Windows virtual machine with the Azure portal
- Quickstart: Create and encrypt a Windows VM with the Azure CLI
- Azure PowerShell Documentation
- az vm
- az vm list
- az vm encryption
- az vm encryption show
- az vm encryption enable
- az keyvault
- az keyvault create
- az keyvault key
- az keyvault key create