- Knowledge Base
- Microsoft Azure
- Virtual Machines
- Server Side Encryption for Boot Disk using CMK
Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (OS and data disk volumes) use platform-managed encryption keys. However, in order to have a more granular control over your data encryption/decryption process, it is strongly recommended to use your own keys (CMKs) instead of platform-managed keys (PMKs) for boot disk volume encryption.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When you create and use your own customer-managed keys (CMKs) for Azure VM boot disk volumes, you gain full control over who can use the encryption keys and who can access the data encrypted on your boot (OS) volumes.
Audit
To determine if your Azure VM boot disk volumes are encrypted with customer-managed keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription filter box.
04 Select Virtual machine from the Type filter box and choose Apply to list all the virtual machines provisioned within the selected subscription.
05 Click on the name of the virtual machine (VM) that you want to examine.
06 In the VM navigation panel, under Settings, select Disks to view the boot disk volumes attached to the selected virtual machine.
07 On the Disks overview page, in the OS disk section, check the encryption configuration status available for the boot disk volume, listed in the Encryption column. If the encryption status is set to SSE with PMK, Microsoft Azure Storage encryption is using a platform-managed key (PMK) instead of a customer-managed key (CMK) to encrypt the boot disk volume attached to the selected virtual machine.
08 Repeat steps no. 5 – 7 for each Azure virtual machine available in the selected subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each Azure virtual machine (VM) provisioned in the current subscription:
az vm list --query '[*].id'
02 The command output should return the requested VM resource identifiers (IDs):
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm", "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-development-vm" ]
03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine (VM) that you want to examine as the identifier parameter, to describe the ID of the boot (OS) disk volume attached to the selected virtual machine:
az vm show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm" --query 'storageProfile.osDisk.managedDisk.id'
04 The command output should return the requested resource identifier (ID):
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-web-production-vm_OsDisk_1_abcdabcdabcd" ]
05 Run disk show command (Windows/macOS/Linux) using the ID of the Azure VM boot disk volume returned at the previous step as the identifier parameter, to describe the URL of the customer-managed key (CMK) configured for the boot disk volume encryption:
az disk show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-web-production-vm_OsDisk_1_abcdabcdabcd" --query encryption
06 The command output should return disk encryption settings, including the encryption type and disk encryption set details (if applicable):
{ "diskEncryptionSetId": null, "type": "EncryptionAtRestWithPlatformKey" }
If the disk show command output returns encryption.type as EncryptionAtRestWithPlatformKey, Microsoft Azure Storage encryption is not using a customer-managed key (CMK) to encrypt the boot disk volume attached to the selected virtual machine.
07 Repeat steps no. 3 – 6 for each Azure virtual machine provisioned within the current subscription.
08 Repeat steps no. 1 – 7 for each subscription available in your Microsoft Azure cloud account.
Remediation / Resolution
Case A: If the boot disk volumes attached to your Azure virtual machines (VMs) were not encrypted using Azure Disk Encryption (ADE), you can use customer-managed keys (CMKs) for Server-Side Encryption (SSE). To encrypt the data available on your Azure VM boot disk volumes using your own customer-managed keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and choose + Create to create the Azure key vault that will store your customer-managed key (CMK).
03 On the Create a key vault setup page, perform the following operations:
- On the Basics panel, choose the appropriate subscription and pricing tier, provide a unique name for the new key vault, and select the Azure region and resource group where the vault will be deployed. (Optional) You can choose whether or not to enable purge protection and set the number of days to retain the deleted vault. Choose Next to continue the setup process.
- On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure to retrieve secrets from the vault and unwrap encryption keys. (Optional) You can choose + Add Access Policy to add additional access policies to the key vault. Choose Next to continue.
- On the Networking panel, configure the network access control for the key vault. You can connect to the new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue the setup.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next to continue.
- On the Review + create panel, review the resource configuration details, then choose Create to create your new Microsoft Azure key vault.
04 Once the deployment process is complete, choose Go to resource to access the new key vault.
05 In the key vault navigation panel, under Settings, select Keys, then choose Generate/Import button to create the customer-managed key (CMK) required for the boot disk volume encryption.
06 On the Create a key setup page, provide a unique name for the new key in the Name box, choose an activation and/or expiration date for the resource, select Enabled for activation, then choose Create to generate your new customer-managed key (CMK).
07 Navigate to the Disk Encryption Sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FdiskEncryptionSets and click + Create to create a new disk encryption set.
08 On the Create a disk encryption set setup page, perform the following actions:
- On the Basics panel, configure the following parameters:
- Select the appropriate subscription, resource group, and region (must match your virtual machine location).
- Choose the encryption type that you want to use for your boot disk volumes, either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
- Select the Azure key vault, the key, and the key version (i.e. Current version) created at the previous steps.
- (Optional) Select Auto key rotation to automatically rotate the key to the latest key version.
- Choose Next : Tags > to continue.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the new key. Choose Next : Review + create > to continue.
- Select Review + create, validate the chosen parameters, and choose Create.
09 Once the deployment is complete, choose Go to resource. On the Overview page, you should see a red banner indicating that the associated key vault does not yet have permissions to access the new disk encryption set, prompting you to grant permissions. Click the arrow in the red banner to proceed. If needed, check the blade notification box from the top right to see a summary of the activity log and the notification that confirms the permission changes.
10 Navigate to the Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults, access the appropriate key vault, and choose Access policies in the vault navigation menu. Check for, or if needed, create an application-type permission for your new disk encryption set which includes the following key permissions: Get, Unwrap Key, and Wrap Key.
11 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.
12 Click on the name of the virtual machine (VM) that you want to reconfigure.
13 On the Overview page, choose Stop from the top menu to stop the selected VM.
14 Within the Stop this virtual machine confirmation box, select Do you want to reserve the Public IP address? checkbox to reserve the allocated IP address, then choose OK for confirmation. Once the VM status become Stopped (deallocated), continue with the next step.
15 In the navigation panel, under Settings, select Disks to view the virtual machine's managed disks.
16 On the Disks overview page, in the OS disk section, click on the name of the boot disk volume attached to the selected virtual machine.
17 In the disk navigation panel, under Settings, choose Encryption to access the Server-Side Encryption (SSE) settings available for the selected disk volume.
18 On the Encryption page, select either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys from the Encryption type dropdown list and choose the encryption set created earlier in the Remediation process from the Disk encryption set dropdown list. Choose Save to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected boot disk volume.
19 Navigate back to the Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.
20 Click on the name of the stopped (deallocated) virtual machine.
21 On the Overview page, choose Start from the top menu to restart the selected virtual machine (VM).
22 Repeat steps no. 12 – 21 for each Azure virtual machine available in the selected subscription.
23 Repeat steps no. 1 – 22 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
Note: Changes to encryption settings can only be made when the boot (OS) disk is unattached or the managing virtual machine is deallocated. The deallocation process will release any public IP addresses associated with the VM.
01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (CMK) will be placed. Make sure that you specify the Azure subscription that you want to use:
az keyvault create --name cc-prod-key-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enable-purge-protection true --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
02 The command output should return the configuration information available for the new Azure key vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "location": "westeurope", "name": "cc-prod-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "all" ], "keys": [ "all" ], "secrets": [ "all" ], "storage": [ "all" ] }, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": null, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-prod-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2022-04-26T13:48:11.861000+00:00", "createdBy": "user@domain.com", "createdByType": "User", "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00", "lastModifiedBy": "user@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
03 Run keyvault key create command (Windows/macOS/Linux) to create a new Azure customer-managed key (CMK), necessary to encrypt your Azure VM boot disk volume:
az keyvault key create --name cc-production-cmk --vault-name cc-prod-key-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2022-10-22T10:00:00Z" --protection software --disabled false --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
04 The command output should return the configuration information available for the new encryption key:
{ "attributes": { "created": "2022-04-26T13:53:44+00:00", "enabled": true, "expires": "2022-10-22T10:00:00+00:00", "exportable": null, "notBefore": null, "recoverableDays": 90, "recoveryLevel": "Recoverable", "updated": "2022-04-26T13:53:44+00:00" }, "key": { "crv": null, "d": null, "dp": null, "dq": null, "e": "AQAB", "k": null, "keyOps": [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey" ], "kid": "https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "kty": "RSA", "n": " ... ", "p": null, "q": null, "qi": null, "t": null, "x": null, "y": null }, "managed": null, "releasePolicy": null, "tags": null }
05 Run disk-encryption-set create command (Windows/macOS/Linux) to create an Azure disk encryption set using the ID of the newly created encryption key for the --key-url parameter:
az disk-encryption-set create --key-url https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd --name cc-prod-disk-encryption-set --resource-group cloud-shell-storage-westeurope --encryption-type EncryptionAtRestWithCustomerKey --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
06 The command output should return the configuration information available for the new disk encryption set:
{ "activeKey": { "keyUrl": "https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "sourceVault": null }, "encryptionType": "EncryptionAtRestWithCustomerKey", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-prod-disk-encryption-set", "identity": { "principalId": "1234abcd-1234-abcd-1234-abcd1234abcd", "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "type": "SystemAssigned" }, "lastKeyRotationTimestamp": null, "location": "westeurope", "name": "cc-prod-disk-encryption-set", "previousKeys": null, "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "rotationToLatestKeyVersionEnabled": null, "tags": null, "type": "Microsoft.Compute/diskEncryptionSets" }
07 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy for the Azure key vault created previously, to assign the get, wrapKey, and unwrapKey key permissions to the policy principal (i.e. the new disk encryption set). The --object-id parameter value represents the principal ID of the new disk encryption set ("principalId" attribute value returned at the previous step):
az keyvault set-policy --name cc-prod-key-vault --resource-group cloud-shell-storage-westeurope --key-permissions get wrapKey unwrapKey --object-id 1234abcd-1234-abcd-1234-abcd1234abcd --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
08 The command output should return the configuration information available for the modified key vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "location": "westeurope", "name": "cc-prod-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "all" ], "keys": [ "all" ], "secrets": [ "all" ], "storage": [ "all" ] }, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": null, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-prod-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2022-04-26T13:48:11.861000+00:00", "createdBy": "user@domain.com", "createdByType": "User", "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00", "lastModifiedBy": "user@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
09 Run vm deallocate command (Windows/macOS/Linux) to stop (deallocate) the Azure virtual machine (VM) that you want to encrypt using customer-managed keys (the command does not produce an output). IMPORTANT: Stopping (deallocating) a virtual machine used in production can cause loss of data and the release of the assigned IP address:
az vm deallocate --name cc-web-production-vm --no-wait --resource-group cloud-shell-storage-westeurope --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
10 Run disk update command (Windows/macOS/Linux) using the name of the Azure VM boot disk volume that you want to reconfigure as the identifier parameter, to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected OS disk volume:
az disk update --name cc-web-production-vm_OsDisk_1_abcdabcdabcd --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set cc-prod-disk-encryption-set --resource-group cloud-shell-storage-westeurope --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
11 If the command request was successful, the command output should return the configuration information available for the modified disk volume, as shown in the output example below:
{ "burstingEnabled": null, "completionPercent": null, "creationData": { "createOption": "FromImage", "galleryImageReference": null, "imageReference": { "id": "/Subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/Providers/Microsoft.Compute/Locations/westeurope/Publishers/canonical/ArtifactTypes/VMImage/Offers/0001-com-ubuntu-server-focal/Skus/20_04-lts-gen2/Versions/20.04.202204190", "lun": null }, "logicalSectorSize": null, "securityDataUri": null, "sourceResourceId": null, "sourceUniqueId": null, "sourceUri": null, "storageAccountId": null, "uploadSizeBytes": null }, "dataAccessAuthMode": null, "diskAccessId": null, "diskIopsReadOnly": null, "diskIopsReadWrite": 120, "diskMBpsReadOnly": null, "diskMBpsReadWrite": 25, "diskSizeBytes": 32213303296, "diskSizeGb": 30, "diskState": "Reserved", "encryption": { "diskEncryptionSetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/diskEncryptionSets/cc-prod-disk-encryption-set", "type": "EncryptionAtRestWithCustomerKey" }, "encryptionSettingsCollection": null, "extendedLocation": null, "hyperVGeneration": "V2", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-production-vm_OsDisk_1_abcdabcdabcd", "location": "westeurope", "managedBy": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm", "managedByExtended": null, "maxShares": null, "name": "cc-web-production-vm_OsDisk_1_abcdabcdabcd", "networkAccessPolicy": "AllowAll", "osType": "Linux", "propertyUpdatesInProgress": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "purchasePlan": null, "resourceGroup": "cloud-shell-storage-westeurope", "securityProfile": null, "shareInfo": null, "sku": { "name": "Premium_LRS", "tier": "Premium" }, "supportedCapabilities": { "acceleratedNetwork": true, "architecture": "x64" }, "supportsHibernation": null, "tags": null, "tier": "P4", "timeCreated": "2022-04-26T14:27:41.949818+00:00", "type": "Microsoft.Compute/disks", "uniqueId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "zones": null }
12 Run vm start command (Windows/macOS/Linux) to restart the virtual machine that manages the disk which you want to encrypt using Server-Side Encryption and customer-managed keys (the command does not produce an output):
az vm start --name cc-web-production-vm --no-wait --resource-group cloud-shell-storage-westeurope --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
13 Repeat step no. 9 – 12 for each Azure virtual machine provisioned within the current subscription.
14 Repeat steps no. 1 – 13 for each subscription available in your Microsoft Azure cloud account.
Case B: If the boot disk volumes attached to your Azure virtual machines (VMs) were encrypted using Azure Disk Encryption (ADE), the disk volumes can't be encrypted using customer-managed keys (CMKs). To implement Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the Azure VM boot disk volumes currently or previously encrypted using Azure Disk Encryption, you must re-create your virtual machines with the appropriate configuration and transfer the data from your existing machine. To relaunch your Azure VMs with Server-Side Encryption (SSE), perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and choose + Create to create the Azure key vault that will store your customer-managed key (CMK).
03 On the Create a key vault setup page, perform the following actions:
- On the Basics panel, choose the appropriate subscription and pricing tier, provide a unique name for the new key vault, and select the Azure region and resource group where the vault will be deployed. (Optional) You can choose whether or not to enable purge protection and set the number of days to retain the deleted vault. Choose Next to continue the setup process.
- On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure to retrieve secrets from the vault and unwrap encryption keys. (Optional) You can choose + Add Access Policy to add additional access policies to the key vault. Choose Next to continue.
- On the Networking panel, configure the network access control for the key vault. You can connect to the new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue the setup.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next to continue.
- On the Review + create panel, review the resource configuration details, then choose Create to create your new Microsoft Azure key vault.
04 Once the deployment process is complete, choose Go to resource to access the new key vault.
05 In the key vault navigation panel, under Settings, select Keys, then choose Generate/Import button to create the customer-managed key (CMK) required for the boot disk volume encryption.
06 On the Create a key setup page, provide a unique name for the new key in the Name box, choose an activation and/or expiration date for the resource, select Enabled for activation, then choose Create to generate your new customer-managed key (CMK).
07 Navigate to the Disk Encryption Sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FdiskEncryptionSets and click + Create to create a new disk encryption set.
08 On the Create a disk encryption set setup page, perform the following actions:
- On the Basics panel, configure the following parameters:
- Select the appropriate subscription, resource group, and region (must match your virtual machine location).
- Choose the encryption type that you want to use for your boot disk volumes, either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
- Select the Azure key vault, the key, and the key version (i.e. Current version) created at the previous steps.
- (Optional) Select Auto key rotation to automatically rotate the key to the latest key version.
- Choose Next : Tags > to continue.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the new key. Choose Next : Review + create > to continue.
- Select Review + create, validate the chosen parameters, and choose Create.
09 Once the deployment is complete, choose Go to resource. On the Overview page, you should see a red banner indicating that the associated key vault does not yet have permissions to access the new disk encryption set, prompting you to grant permissions. Click the arrow in the red banner to proceed. If needed, check the blade notification box from the top right to see a summary of the activity log and the notification that confirms the permission changes.
10 Navigate to the Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults, access the appropriate key vault, and choose Access policies in the vault navigation menu. Check for, or if needed, create an application-type permission for your new disk encryption set which includes the following key permissions: Get, Unwrap Key, and Wrap Key.
11 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.
12 Click on the name of the virtual machine (VM) that you want to re-create.
13 On the Overview page, collect the virtual machine configuration information such as location, operating system, VM generation and size, networking and disk details. The information collected at this step is required for virtual machine relaunch.
14 Navigate back to the Virtual machines blade, select + Create and choose Azure virtual machine to launch a new virtual machine.
15 On the Create a virtual machine setup page, perform the following actions:
- On the Basics panel, choose the appropriate subscription, provide a unique name for the new virtual machine (VM), select the Azure region and resource group where the VM resource will be provisioned, choose the VM size and operating system (OS) image, select the authentication type, and configure the inbound access to the virtual machine. All the settings configured at this step must match the information collected at step no. 13. Choose Next : Disks > to continue the creation process.
- On the Disks panel, choose the boot (OS) disk type required for the new virtual machine. Select either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys from the Encryption type dropdown list and choose the encryption set created at step no. 8 from the Disk encryption set dropdown list. This will enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the VM boot disk volume. (Optional) You can choose to attach new or existing data disks to your new virtual machine at this step. Choose Next : Networking > to continue.
- On the Networking panel, configure the network access control and load balancing for the VM according to the networking information collected at step no. 13. Choose Next : Management > to continue.
- On the Management panel, configure the monitoring and management options for your new VM. Select Next : Advanced > to continue the setup.
- On the Advanced panel, add additional configuration, agents, scripts or applications via virtual machine extensions or cloud-init. Choose Next : Tags > to continue.
- On the Tags panel, use the Name, Value and Resource fields to create tags that will help organize the identity of the virtual machine. Choose Next : Review + create > to continue.
- On the Review + create panel, review the resource configuration details, wait for setup validation to complete, then choose Create to create your new Azure virtual machine (VM).
- In the Generate new key pair confirmation box, choose Download private key and create resource to download and save the private key generated for the new virtual machine.
- Once the resource deployment is complete, choose Go to resource to access your new Azure VM.
16 Transfer the data from the source virtual machine to the new (destination) virtual machine encrypted with Server-Side Encryption (SSE) and customer-managed keys (CMKs). For example, follow these steps to copy a managed disk.
17 (Optional) You can terminate the source virtual machine (VM) in order to stop incurring charges for it. To delete the VM, perform the following actions:
- Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.
- Select the Azure virtual machine that you want to terminate and choose Delete.
- On the Delete Resources panel, type yes for confirmation in the Confirm delete box, select the name of your virtual machine from the Selected resources section, then choose Delete to terminate the selected VM.
18 Repeat steps no. 12 – 16 for each Azure virtual machine that you want to re-create, available in the selected subscription.
19 Repeat steps no. 1 – 17 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (CMK) will be placed. Make sure that you specify the Azure subscription that you want to use:
az keyvault create --name cc-prod-key-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enable-purge-protection true --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
02 The command output should return the configuration information available for the new Azure key vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "location": "westeurope", "name": "cc-prod-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "all" ], "keys": [ "all" ], "secrets": [ "all" ], "storage": [ "all" ] }, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": null, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-prod-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2022-04-26T13:48:11.861000+00:00", "createdBy": "user@domain.com", "createdByType": "User", "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00", "lastModifiedBy": "user@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
03 Run keyvault key create command (Windows/macOS/Linux) to create a new Azure customer-managed key (CMK), necessary to encrypt your Azure VM boot disk volume:
az keyvault key create --name cc-production-cmk --vault-name cc-prod-key-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2022-10-22T10:00:00Z" --protection software --disabled false --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
04 The command output should return the configuration information available for the new encryption key:
{ "attributes": { "created": "2022-04-26T13:53:44+00:00", "enabled": true, "expires": "2022-10-22T10:00:00+00:00", "exportable": null, "notBefore": null, "recoverableDays": 90, "recoveryLevel": "Recoverable", "updated": "2022-04-26T13:53:44+00:00" }, "key": { "crv": null, "d": null, "dp": null, "dq": null, "e": "AQAB", "k": null, "keyOps": [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey" ], "kid": "https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "kty": "RSA", "n": " ... ", "p": null, "q": null, "qi": null, "t": null, "x": null, "y": null }, "managed": null, "releasePolicy": null, "tags": null }
05 Run disk-encryption-set create command (Windows/macOS/Linux) to create an Azure disk encryption set using the ID of the newly created encryption key for the --key-url parameter:
az disk-encryption-set create --key-url https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd --name cc-prod-disk-encryption-set --resource-group cloud-shell-storage-westeurope --encryption-type EncryptionAtRestWithCustomerKey --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
06 The command output should return the configuration information available for the new disk encryption set:
{ "activeKey": { "keyUrl": "https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "sourceVault": null }, "encryptionType": "EncryptionAtRestWithCustomerKey", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-prod-disk-encryption-set", "identity": { "principalId": "1234abcd-1234-abcd-1234-abcd1234abcd", "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "type": "SystemAssigned" }, "lastKeyRotationTimestamp": null, "location": "westeurope", "name": "cc-prod-disk-encryption-set", "previousKeys": null, "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "rotationToLatestKeyVersionEnabled": null, "tags": null, "type": "Microsoft.Compute/diskEncryptionSets" }
07 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy for the Azure key vault created previously, to assign the get, wrapKey, and unwrapKey key permissions to the policy principal (i.e. the new disk encryption set). The --object-id parameter value represents the principal ID of the new disk encryption set ("principalId" attribute value returned at the previous step):
az keyvault set-policy --name cc-prod-key-vault --resource-group cloud-shell-storage-westeurope --key-permissions get wrapKey unwrapKey --object-id 1234abcd-1234-abcd-1234-abcd1234abcd --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
08 The command output should return the configuration information available for the modified key vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "location": "westeurope", "name": "cc-prod-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "all" ], "keys": [ "all" ], "secrets": [ "all" ], "storage": [ "all" ] }, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": null, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-prod-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2022-04-26T13:48:11.861000+00:00", "createdBy": "user@domain.com", "createdByType": "User", "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00", "lastModifiedBy": "user@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
09 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine (VM) that you want to re-create as the identifier parameter, to describe the configuration information available for the selected virtual machine:
az vm show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm"
10 The command output should return the requested configuration information. Collect the configuration information such as location, operating system, VM generation and size, networking and disk details. The information collected at this step is required for virtual machine relaunch:
{ "additionalCapabilities": null, "applicationProfile": null, "availabilitySet": null, "billingProfile": null, "capacityReservation": null, "diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": null } }, "evictionPolicy": null, "extendedLocation": null, "extensionsTimeBudget": null, "hardwareProfile": { "vmSize": "Standard_B1ls", "vmSizeProperties": null }, "host": null, "hostGroup": null, "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm", "identity": null, "instanceView": null, "licenseType": null, "location": "westeurope", "name": "cc-web-production-vm", "networkProfile": { "networkApiVersion": null, "networkInterfaceConfigurations": null, "networkInterfaces": [ { "deleteOption": "Detach", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-web-production405", "primary": null, "resourceGroup": "cloud-shell-storage-westeurope" } ] }, "osProfile": { "adminPassword": null, "adminUsername": "azureuser", "allowExtensionOperations": true, "computerName": "cc-web-production-vm", "customData": null, "linuxConfiguration": { "disablePasswordAuthentication": true, "enableVMAgentPlatformUpdates": false, "patchSettings": { "assessmentMode": "ImageDefault", "patchMode": "ImageDefault" }, "provisionVmAgent": true, "ssh": { "publicKeys": [ { "keyData": " ... ", "path": "/home/azureuser/.ssh/authorized_keys" } ] } }, "requireGuestProvisionSignal": true, "secrets": [], "windowsConfiguration": null }, "plan": null, "platformFaultDomain": null, "priority": null, "provisioningState": "Updating", "proximityPlacementGroup": null, "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE", "resources": [ { "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": null, "forceUpdateTag": "1.0", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-production-vm/extensions/AzureDiskEncryptionForLinux", "instanceView": null, "location": "westeurope", "name": "AzureDiskEncryptionForLinux", "protectedSettings": null, "protectedSettingsFromKeyVault": null, "provisioningState": "Creating", "publisher": "Microsoft.Azure.Security", "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE", "settings": { "EncryptionOperation": "EnableEncryption", "KekVaultResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "KeyEncryptionAlgorithm": "RSA-OAEP", "KeyEncryptionKeyURL": "https://cc-prod-key-vault.vault.azure.net/keys/cc-production-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "KeyVaultResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-prod-key-vault", "KeyVaultURL": "https://cc-prod-key-vault.vault.azure.net/", "VolumeType": "OS" }, "suppressFailures": null, "tags": null, "type": "Microsoft.Compute/virtualMachines/extensions", "typeHandlerVersion": "1.1", "typePropertiesType": "AzureDiskEncryptionForLinux" } ], "scheduledEventsProfile": null, "securityProfile": null, "storageProfile": { "dataDisks": [], "imageReference": { "communityGalleryImageId": null, "exactVersion": "18.04.202204190", "id": null, "offer": "UbuntuServer", "publisher": "Canonical", "sharedGalleryImageId": null, "sku": "18_04-lts-gen2", "version": "latest" }, "osDisk": { "caching": "ReadWrite", "createOption": "FromImage", "deleteOption": "Delete", "diffDiskSettings": null, "diskSizeGb": 30, "encryptionSettings": null, "image": null, "managedDisk": { "diskEncryptionSet": null, "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-production-vm_OsDisk_1_abcdabcdabcd", "resourceGroup": "cloud-shell-storage-westeurope", "securityProfile": null, "storageAccountType": "Premium_LRS" }, "name": "cc-web-production-vm_OsDisk_1_abcdabcdabcd", "osType": "Linux", "vhd": null, "writeAcceleratorEnabled": null } }, "tags": null, "timeCreated": "2021-09-20T18:08:39.137795+00:00", "type": "Microsoft.Compute/virtualMachines", "userData": null, "virtualMachineScaleSet": null, "vmId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "zones": null }
11 Run vm create command (Windows/macOS/Linux) to launch a new Azure virtual machine (VM) with Server-Side Encryption (SSE) and customer-managed keys (CMKs) for the boot disk volume, using the configuration information returned at the previous step. Specify the name of the Azure disk encryption set created earlier in the Remediation section as the value of the --os-disk-encryption-set parameter:
az vm create --name cc-web-production-cmk-encrypted --location westeurope --image UbuntuLTS --size Standard_B1ls --authentication-type ssh --admin-username azureuser --ssh-key-name cc-production-vm_key --os-disk-encryption-set cc-prod-disk-encryption-set --resource-group cloud-shell-storage-westeurope --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
12 If the command request was successful and the VM resource has been created, the command output should return the following configuration information:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-web-production-cmk-encrypted", "location": "westeurope", "macAddress": "AA-BB-CC-11-22-33", "powerState": "VM running", "privateIpAddress": "10.0.0.5", "publicIpAddress": "XXX.XXX.XXX.XXX", "resourceGroup": "cloud-shell-storage-westeurope", "zones": "" }
13 Transfer the data from the source virtual machine to the new (destination) virtual machine encrypted with Server-Side Encryption (SSE) and customer-managed keys (CMKs). For example, follow these steps to copy a managed disk.
14 (Optional) You can terminate the source virtual machine (VM) in order to stop incurring charges for the resource. To delete the source VM, run vm delete command (Windows/macOS/Linux) as shown in the following example:
az vm delete --name cc-web-production-vm --resource-group cloud-shell-storage-westeurope --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
15 Type y (yes) and press Enter to confirm the virtual machine (VM) deletion:
Are you sure you want to perform this operation? (y/n): y
16 Repeat step no. 9 – 13 for each Azure virtual machine that you want to re-create, available within the current subscription.
17 Repeat steps no. 1 – 16 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Server-side encryption of Azure Disk Storage
- Overview of managed disk encryption options
- Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks
- Use the Azure CLI to enable server-side encryption with customer-managed keys for managed disks
- Upload a VHD to Azure or copy a managed disk to another region - Azure CLI
- Azure Command Line Interface (CLI) Documentation
- az vm list
- az vm show
- az disk show
- az keyvault create
- az keyvault key create
- az disk-encryption-set create
- az keyvault set-policy
- az vm deallocate
- az disk update
- az vm start
- az vm create
- az vm delete
Related VirtualMachines rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Server Side Encryption for Boot Disk using CMK
Risk Level: High