Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Server Side Encryption for Non-Boot Disk using CMK

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-038

Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (OS and data disk volumes) use platform-managed encryption keys. However, in order to have a more granular control over your data encryption/decryption process, it is highly recommended to use your own keys (CMKs) instead of platform-managed keys (PMKs) for data (non-boot) disk volume encryption.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When you create and use your own customer-managed keys (CMKs) for Azure VM non-boot disk volumes, you gain full control over who can use the encryption keys and who can access the data encrypted on your data disk volumes. By encrypting your Azure VM data disk volumes, you have the assurance that your VM data is fully unrecoverable without a key and therefore provides protection from unwarranted reads.


Audit

To determine if your Azure VM data disk volumes are encrypted with customer-managed keys (CMKs), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 Select Virtual machine from the Type filter box and choose Apply to list all the virtual machines provisioned within the selected subscription.

05 Click on the name of the virtual machine (VM) that you want to examine.

06 In the VM navigation panel, under Settings, select Disks to view the data disk volumes currently attached to the selected virtual machine.

07 On the Disks overview page, in the Data disks section, check the encryption configuration status available for the data disk volumes, listed in the Encryption column. If the encryption status is set to SSE with PMK, Microsoft Azure Storage encryption is using platform-managed keys (PMKs) instead of a customer-managed keys (CMKs) to encrypt the data (non-boot) disk volumes attached to the selected virtual machine.

08 Repeat steps no. 5 – 7 for each Azure virtual machine available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each Azure virtual machine (VM) provisioned in the current subscription:

az vm list
  --query '[*].id'

02 The command output should return the requested VM resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-application-vm",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-development-vm"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine (VM) that you want to examine as the identifier parameter, to describe the ID of each data disk volume attached to the selected virtual machine:

az vm show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-application-vm"
  --query 'storageProfile.dataDisks[*].managedDisk.id'

04 The command output should return an array with the requested resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-application-vm_DataDisk_1"
]

05 Run disk show command (Windows/macOS/Linux) using the ID of the Azure VM data disk volume that you want to examine as the identifier parameter, to describe the URL of the customer-managed key (CMK) configured for the data disk volume encryption:

az disk show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-application-vm_DataDisk_1"
  --query encryption

06 The command output should return the disk encryption settings, including the encryption type and disk encryption set details (if applicable):

{
  "diskEncryptionSetId": null,
  "type": "EncryptionAtRestWithPlatformKey",
}

If the disk show command output returns encryption.type as EncryptionAtRestWithPlatformKey, Microsoft Azure Storage encryption is not using a customer-managed key (CMK) to encrypt the boot disk volume attached to the selected virtual machine.

07 Repeat steps no. 5 and 6 for each data disk volume attached to the selected virtual machine.

08 Repeat steps no. 3 – 7 for each Azure virtual machine provisioned within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

Case A: If the data disk volumes attached to your Azure virtual machines (VMs) were not encrypted using Azure Disk Encryption (ADE), you can use customer-managed keys (CMKs) for Server-Side Encryption (SSE). To encrypt the data available on your Azure VM data disk volumes using your own customer-managed keys (CMKs), perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and choose + Create to create the Azure key vault that will store your customer-managed key (CMK).

03 On the Create a key vault setup page, perform the following operations:

  1. On the Basics panel, choose the appropriate subscription and pricing tier, provide a unique name for the new key vault, and select the Azure region and resource group where the vault will be deployed. (Optional) You can choose whether or not to enable purge protection and set the number of days to retain the deleted vault. Choose Next to continue the setup process.
  2. On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure to retrieve secrets from the vault and unwrap encryption keys. (Optional) You can choose + Add Access Policy to add additional access policies to the key vault. Choose Next to continue.
  3. On the Networking panel, configure the network access control for the key vault. You can connect to the new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue the setup.
  4. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next to continue.
  5. On the Review + create panel, review the resource configuration details, then choose Create to create your new Microsoft Azure key vault.

04 Once the deployment process is complete, choose Go to resource to access the new key vault.

05 In the key vault navigation panel, under Settings, select Keys, then choose Generate/Import button to create the customer-managed key (CMK) required for the data disk volume encryption.

06 On the Create a key setup page, provide a unique name for the new key in the Name box, choose an activation and/or expiration date for the resource, select Enabled for activation, then choose Create to generate your new customer-managed key (CMK).

07 Navigate to the Disk Encryption Sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FdiskEncryptionSets and click + Create to create a new disk encryption set.

08 On the Create a disk encryption set setup page, perform the following operations:

  1. On the Basics panel, configure the following parameters:
    • Select the appropriate subscription, resource group, and location/region (must match your virtual machine location).
    • Choose the encryption type that you want to use for your data disk volumes, either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
    • Select the Azure key vault, the key, and the key version (i.e. Current version) created at the previous steps.
    • (Optional) Select Auto key rotation to automatically rotate the key to the latest key version.
    • Choose Next : Tags > to continue.
  2. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the new key. Choose Next : Review + create > to continue.
  3. Select Review + create, validate the chosen parameters, and choose Create.

09 Once the deployment is complete, choose Go to resource. On the Overview page, you should see a red banner indicating that the associated key vault does not yet have permissions to access the new disk encryption set, prompting you to grant permissions. Click the arrow in the red banner to proceed. If needed, check the blade notification box from the top right to see a summary of the activity log and the notification that confirms the permission changes.

10 Navigate to the Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults, access the appropriate key vault, and choose Access policies in the vault navigation menu. Check for, or if needed, create an application-type permission for your new disk encryption set which includes the following key permissions: Get, Unwrap Key, and Wrap Key.

11 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.

12 Click on the name of the virtual machine (VM) that you want to reconfigure.

13 On the Overview page, choose Stop from the top menu to stop the selected VM.

14 Within the Stop this virtual machine confirmation box, select Do you want to reserve the Public IP address? checkbox to reserve the allocated IP address, then choose OK for confirmation. Once the VM status becomes Stopped (deallocated), continue with the next step.

15 In the navigation panel, under Settings, select Disks to view the virtual machine's managed disks.

16 On the Disks overview page, in the Data disks section, click on the name of the data disk volume that you want to reconfigure, attached to the selected virtual machine.

17 In the disk navigation panel, under Settings, choose Encryption to access the Server-Side Encryption (SSE) settings available for the selected disk volume.

18 On the Encryption page, select either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys from the Encryption type dropdown list and choose the encryption set created earlier in the Remediation process from the Disk encryption set dropdown list. Choose Save to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected data (non-boot) disk volume.

19 Repeat steps no. 16 – 18 for each data disk volume attached to the selected virtual machine.

20 Navigate back to the Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.

21 Click on the name of the stopped (deallocated) virtual machine.

22 On the Overview page, choose Start from the top menu to restart the selected virtual machine (VM).

23 Repeat steps no. 12 – 22 for each Azure virtual machine available in the selected subscription.

24 Repeat steps no. 1 – 23 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

Note: Changes to encryption settings can only be made when the data disk is unattached or the managing virtual machine is deallocated. The deallocation process will release any public IP addresses associated with the VM.

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (CMK) will be placed. Make sure that you specify the Azure subscription that you want to use:

az keyvault create
  --name cc-application-key-vault
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --enable-purge-protection true
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

02 The command output should return the configuration information available for the new Azure key vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
  "location": "westeurope",
  "name": "cc-application-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-application-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "systemData": {
    "createdAt": "2022-04-26T13:48:11.861000+00:00",
    "createdBy": "user@domain.com",
    "createdByType": "User",
    "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00",
    "lastModifiedBy": "user@domain.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create a new Azure customer-managed key (CMK), necessary to encrypt your Azure VM data disk volume:

az keyvault key create
  --name cc-application-cmk
  --vault-name cc-application-key-vault
  --kty RSA
  --size 2048
  --ops decrypt encrypt sign unwrapKey verify wrapKey
  --expires "2022-10-22T10:00:00Z"
  --protection software
  --disabled false
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

04 The command output should return the configuration information available for the new encryption key:

{
  "attributes": {
    "created": "2022-04-26T13:53:44+00:00",
    "enabled": true,
    "expires": "2022-10-22T10:00:00+00:00",
    "exportable": null,
    "notBefore": null,
    "recoverableDays": 90,
    "recoveryLevel": "Recoverable",
    "updated": "2022-04-26T13:53:44+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "decrypt",
      "encrypt",
      "sign",
      "unwrapKey",
      "verify",
      "wrapKey"
    ],
    "kid": "https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd",
    "kty": "RSA",
    "n": " ... ",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "releasePolicy": null,
  "tags": null
}

05 Run disk-encryption-set create command (Windows/macOS/Linux) to create an Azure disk encryption set using the ID of the newly created encryption key for the --key-url parameter:

az disk-encryption-set create
  --key-url https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd
  --name cc-app-disk-encryption-set
  --resource-group cloud-shell-storage-westeurope
  --encryption-type EncryptionAtRestWithCustomerKey
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

06 The command output should return the configuration information available for the new disk encryption set:

{
  "activeKey": {
    "keyUrl": "https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd",
    "sourceVault": null
  },
  "encryptionType": "EncryptionAtRestWithCustomerKey",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-app-disk-encryption-set",
  "identity": {
    "principalId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "type": "SystemAssigned"
  },
  "lastKeyRotationTimestamp": null,
  "location": "westeurope",
  "name": "cc-app-disk-encryption-set",
  "previousKeys": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "rotationToLatestKeyVersionEnabled": null,
  "tags": null,
  "type": "Microsoft.Compute/diskEncryptionSets"
}

07 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy for the Azure key vault created previously, to assign the get, wrapKey, and unwrapKey key permissions to the policy principal (i.e. the new disk encryption set). The --object-id parameter value represents the principal ID of the new disk encryption set ("principalId" attribute value returned at the previous step):

az keyvault set-policy
  --name cc-application-key-vault
  --resource-group cloud-shell-storage-westeurope
  --key-permissions get wrapKey unwrapKey
  --object-id 1234abcd-1234-abcd-1234-abcd1234abcd
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

08 The command output should return the configuration information available for the modified key vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
  "location": "westeurope",
  "name": "cc-application-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-application-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "systemData": {
    "createdAt": "2022-04-26T13:48:11.861000+00:00",
    "createdBy": "user@domain.com",
    "createdByType": "User",
    "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00",
    "lastModifiedBy": "user@domain.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

09 Run vm deallocate command (Windows/macOS/Linux) to stop (deallocate) the Azure virtual machine (VM) that you want to encrypt using customer-managed keys (the command does not produce an output). IMPORTANT: Stopping (deallocating) a virtual machine used in production can cause loss of data and the release of the assigned IP address:

az vm deallocate
  --name cc-web-application-vm
  --no-wait
  --resource-group cloud-shell-storage-westeurope
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

10 Run disk update command (Windows/macOS/Linux) using the name of the Azure VM data disk volume that you want to reconfigure as the identifier parameter, to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected non-boot disk volume:

az disk update
  --name cc-web-application-vm_DataDisk_1
  --encryption-type EncryptionAtRestWithCustomerKey
  --disk-encryption-set cc-app-disk-encryption-set
  --resource-group cloud-shell-storage-westeurope
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

11 If the command request was successful, the command output should return the configuration information available for the modified disk volume, as shown in the output example below:

{
  "burstingEnabled": null,
  "completionPercent": null,
  "creationData": {
    "createOption": "FromImage",
    "galleryImageReference": null,
    "imageReference": {
      "id": "/Subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/Providers/Microsoft.Compute/Locations/westeurope/Publishers/canonical/ArtifactTypes/VMImage/Offers/0001-com-ubuntu-server-focal/Skus/20_04-lts-gen2/Versions/20.04.202204190",
      "lun": null
    },
    "logicalSectorSize": null,
    "securityDataUri": null,
    "sourceResourceId": null,
    "sourceUniqueId": null,
    "sourceUri": null,
    "storageAccountId": null,
    "uploadSizeBytes": null
  },
  "dataAccessAuthMode": null,
  "diskAccessId": null,
  "diskIopsReadOnly": null,
  "diskIopsReadWrite": 120,
  "diskMBpsReadOnly": null,
  "diskMBpsReadWrite": 25,
  "diskSizeBytes": 32213303296,
  "diskSizeGb": 30,
  "diskState": "Reserved",
  "encryption": {
    "diskEncryptionSetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/diskEncryptionSets/cc-app-disk-encryption-set",
    "type": "EncryptionAtRestWithCustomerKey"
  },
  "encryptionSettingsCollection": null,
  "extendedLocation": null,
  "hyperVGeneration": "V2",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-application-vm_DataDisk_1",
  "location": "westeurope",
  "managedBy": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-web-application-vm",
  "managedByExtended": null,
  "maxShares": null,
  "name": "cc-web-application-vm_DataDisk_1",
  "networkAccessPolicy": "AllowAll",
  "propertyUpdatesInProgress": null,
  "provisioningState": "Succeeded",
  "publicNetworkAccess": "Enabled",
  "purchasePlan": null,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "securityProfile": null,
  "shareInfo": null,
  "sku": {
    "name": "Premium_LRS",
    "tier": "Premium"
  },
  "supportedCapabilities": {
    "acceleratedNetwork": true,
    "architecture": "x64"
  },
  "supportsHibernation": null,
  "tags": null,
  "tier": "P4",
  "timeCreated": "2022-04-27T11:20:40.949818+00:00",
  "type": "Microsoft.Compute/disks",
  "uniqueId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "zones": null
}

12 Repeat steps no. 10 and 11 for each data disk volume attached to the selected virtual machine.

13 Run vm start command (Windows/macOS/Linux) to restart the virtual machine that manages the disk which you want to encrypt using Server-Side Encryption and customer-managed keys (the command does not produce an output):

az vm start
  --name cc-web-application-vm
  --no-wait
  --resource-group cloud-shell-storage-westeurope
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

14 Repeat step no. 9 – 13 for each Azure virtual machine provisioned within the current subscription.

15 Repeat steps no. 1 – 14 for each subscription available in your Microsoft Azure cloud account.

Case B: If the data disk volumes attached to your Azure virtual machines (VMs) were encrypted using Azure Disk Encryption (ADE), the disk volumes can't be encrypted using customer-managed keys (CMKs). To implement Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the Azure VM data disk volumes currently or previously encrypted using Azure Disk Encryption, you must re-create your virtual machines with the appropriate configuration and transfer the data from your existing machine. To relaunch your Azure VMs with Server-Side Encryption (SSE), perform the following actions:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and choose + Create to create the Azure key vault that will store your customer-managed key (CMK).

03 On the Create a key vault setup page, perform the following actions:

  1. On the Basics panel, choose the appropriate subscription and pricing tier, provide a unique name for the new key vault, and select the Azure region and resource group where the vault will be deployed. (Optional) You can choose whether or not to enable purge protection and set the number of days to retain the deleted vault. Choose Next to continue the setup process.
  2. On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure to retrieve secrets from the vault and unwrap encryption keys. (Optional) You can choose + Add Access Policy to add additional access policies to the key vault. Choose Next to continue.
  3. On the Networking panel, configure the network access control for the key vault. You can connect to the new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue the setup.
  4. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next to continue.
  5. On the Review + create panel, review the resource configuration details, then choose Create to create your new Microsoft Azure key vault.

04 Once the deployment process is complete, choose Go to resource to access the new key vault.

05 In the key vault navigation panel, under Settings, select Keys, then choose Generate/Import button to create the customer-managed key (CMK) required for the data disk volume encryption.

06 On the Create a key setup page, provide a unique name for the new key in the Name box, choose an activation and/or expiration date for the resource, select Enabled for activation, then choose Create to generate your new customer-managed key (CMK).

07 Navigate to the Disk Encryption Sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FdiskEncryptionSets and click + Create to create a new disk encryption set.

08 On the Create a disk encryption set setup page, perform the following operations:

  1. On the Basics panel, configure the following parameters:
    • Select the appropriate subscription, resource group, and region (must match your virtual machine location).
    • Choose the encryption type that you want to use for your data disk volumes, either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
    • Select the Azure key vault, the key, and the key version (i.e. Current version) created at the previous steps.
    • (Optional) Select Auto key rotation to automatically rotate the key to the latest key version.
    • Choose Next : Tags > to continue.
  2. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the new key. Choose Next : Review + create > to continue.
  3. Select Review + create, validate the chosen parameters, and choose Create.

09 Once the deployment is complete, choose Go to resource. On the Overview page, you should see a red banner indicating that the associated key vault does not yet have permissions to access the new disk encryption set, prompting you to grant permissions. Click the arrow in the red banner to proceed. If needed, check the blade notification box from the top right to see a summary of the activity log and the notification that confirms the permission changes.

10 Navigate to the Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults, access the appropriate key vault, and choose Access policies in the vault navigation menu. Check for, or if needed, create an application-type permission for your new disk encryption set which includes the following key permissions: Get, Unwrap Key, and Wrap Key.

11 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.

12 Click on the name of the virtual machine (VM) that you want to re-create.

13 On the Overview page, collect the virtual machine configuration information such as location, operating system, VM generation and size, networking and disk details. The information collected at this step is required for virtual machine relaunch.

14 Navigate back to the Virtual machines blade, select + Create and choose Azure virtual machine to launch a new virtual machine.

15 On the Create a virtual machine setup page, perform the following actions:

  1. On the Basics panel, choose the appropriate subscription, provide a unique name for the new virtual machine (VM), select the Azure region and resource group where the VM resource will be provisioned, choose the VM size and operating system (OS) image, select the authentication type, and configure the inbound access to the virtual machine. All the settings configured at this step must match the information collected at step no. 13. Choose Next : Disks > to continue the creation process.
  2. On the Disks panel, perform the following operations:
    • Choose the boot (OS) disk type necessary for the new virtual machine from the OS disk type dropdown list.
    • Choose Create and attach a new disk to create and attach a data disk to the new virtual machine. On the setup panel, provide a unique name for the new data disk, select the source type, and choose the right size for the disk. Select either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys from the Encryption type dropdown list and choose the encryption set created at step no. 8 from the Disk encryption set dropdown list. This will enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the new data disk volume. Choose OK to save the configuration changes. Repeat this step to create and configure as many data disks as required.
    • Choose Next : Networking > to continue.
  3. On the Networking panel, configure the network access control and load balancing for the VM according to the networking information collected at step no. 13. Choose Next : Management > to continue.
  4. On the Management panel, configure the monitoring and management options for your new virtual machine. Select Next : Advanced > to continue the setup.
  5. On the Advanced panel, add additional configuration, agents, scripts or applications via virtual machine extensions or cloud-init. Choose Next : Tags > to continue.
  6. On the Tags panel, use the Name, Value and Resource fields to create tags that will help organize the identity of the VM. Choose Next : Review + create > to continue.
  7. On the Review + create panel, review the resource configuration details, wait for setup validation to complete, then choose Create to create your new Microsoft Azure virtual machine (VM).
  8. In the Generate new key pair confirmation box, choose Download private key and create resource to download and save the private key generated for the new virtual machine.
  9. Once the resource deployment is complete, choose Go to resource to access your new Azure VM.

16 Transfer the data from the source virtual machine to the new (destination) virtual machine encrypted with Server-Side Encryption (SSE) and customer-managed keys (CMKs). For example, follow these steps to copy a managed disk.

17 (Optional) You can terminate the source virtual machine (VM) in order to stop incurring charges for the VM resource. To delete the VM, perform the following operations:

  1. Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines.
  2. Select the Azure virtual machine that you want to terminate and choose Delete.
  3. On the Delete Resources panel, type yes for confirmation in the Confirm delete box, select the name of your virtual machine from the Selected resources section, then choose Delete to terminate the selected VM.

18 Repeat steps no. 12 – 16 for each Azure virtual machine that you want to re-create, available in the selected subscription.

19 Repeat steps no. 1 – 18 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (CMK) will be placed. Make sure that you specify the Azure subscription that you want to use:

az keyvault create
  --name cc-application-key-vault
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --enable-purge-protection true
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

02 The command output should return the configuration information available for the new Azure key vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
  "location": "westeurope",
  "name": "cc-application-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-application-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "systemData": {
    "createdAt": "2022-04-26T13:48:11.861000+00:00",
    "createdBy": "user@domain.com",
    "createdByType": "User",
    "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00",
    "lastModifiedBy": "user@domain.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create a new Azure customer-managed key (CMK), necessary to encrypt your Azure VM data disk volumes:

az keyvault key create
  --name cc-application-cmk
  --vault-name cc-application-key-vault
  --kty RSA
  --size 2048
  --ops decrypt encrypt sign unwrapKey verify wrapKey
  --expires "2022-10-22T10:00:00Z"
  --protection software
  --disabled false
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

04 The command output should return the configuration information available for the new encryption key:

{
  "attributes": {
    "created": "2022-04-26T13:53:44+00:00",
    "enabled": true,
    "expires": "2022-10-22T10:00:00+00:00",
    "exportable": null,
    "notBefore": null,
    "recoverableDays": 90,
    "recoveryLevel": "Recoverable",
    "updated": "2022-04-26T13:53:44+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "decrypt",
      "encrypt",
      "sign",
      "unwrapKey",
      "verify",
      "wrapKey"
    ],
    "kid": "https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd",
    "kty": "RSA",
    "n": " ... ",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "releasePolicy": null,
  "tags": null
}

05 Run disk-encryption-set create command (Windows/macOS/Linux) to create an Azure disk encryption set using the ID of the newly created encryption key for the --key-url parameter:

az disk-encryption-set create
  --key-url https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd
  --name cc-app-disk-encryption-set
  --resource-group cloud-shell-storage-westeurope
  --encryption-type EncryptionAtRestWithCustomerKey
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

06 The command output should return the configuration information available for the new disk encryption set:

{
  "activeKey": {
    "keyUrl": "https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd",
    "sourceVault": null
  },
  "encryptionType": "EncryptionAtRestWithCustomerKey",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-app-disk-encryption-set",
  "identity": {
    "principalId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "type": "SystemAssigned"
  },
  "lastKeyRotationTimestamp": null,
  "location": "westeurope",
  "name": "cc-app-disk-encryption-set",
  "previousKeys": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "rotationToLatestKeyVersionEnabled": null,
  "tags": null,
  "type": "Microsoft.Compute/diskEncryptionSets"
}

07 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy for the Azure key vault created previously, to assign the get, wrapKey, and unwrapKey key permissions to the policy principal (i.e. the new disk encryption set). The --object-id parameter value represents the principal ID of the new disk encryption set ("principalId" attribute value returned at the previous step):

az keyvault set-policy
  --name cc-application-key-vault
  --resource-group cloud-shell-storage-westeurope
  --key-permissions get wrapKey unwrapKey
  --object-id 1234abcd-1234-abcd-1234-abcd1234abcd
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

08 The command output should return the configuration information available for the modified key vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
  "location": "westeurope",
  "name": "cc-application-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-application-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "systemData": {
    "createdAt": "2022-04-26T13:48:11.861000+00:00",
    "createdBy": "user@domain.com",
    "createdByType": "User",
    "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00",
    "lastModifiedBy": "user@domain.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

09 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine (VM) that you want to re-create as the identifier parameter, to describe the configuration information available for the selected virtual machine:

az vm show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-application-vm"

10 The command output should return the requested configuration information. Collect the configuration information such as location, operating system, VM generation and size, networking and disk details. The information collected at this step is required for virtual machine relaunch:

{
  "additionalCapabilities": null,
  "applicationProfile": null,
  "availabilitySet": null,
  "billingProfile": null,
  "capacityReservation": null,
  "diagnosticsProfile": {
    "bootDiagnostics": {
      "enabled": true,
      "storageUri": null
    }
  },
  "evictionPolicy": null,
  "extendedLocation": null,
  "extensionsTimeBudget": null,
  "hardwareProfile": {
    "vmSize": "Standard_B1ls",
    "vmSizeProperties": null
  },
  "host": null,
  "hostGroup": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-application-vm",
  "identity": null,
  "instanceView": null,
  "licenseType": null,
  "location": "westeurope",
  "name": "cc-web-application-vm",
  "networkProfile": {
    "networkApiVersion": null,
    "networkInterfaceConfigurations": null,
    "networkInterfaces": [
      {
        "deleteOption": "Detach",
        "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/cc-web-production405",
        "primary": null,
        "resourceGroup": "cloud-shell-storage-westeurope"
      }
    ]
  },
  "osProfile": {
    "adminPassword": null,
    "adminUsername": "azureuser",
    "allowExtensionOperations": true,
    "computerName": "cc-web-application-vm",
    "customData": null,
    "linuxConfiguration": {
      "disablePasswordAuthentication": true,
      "enableVMAgentPlatformUpdates": false,
      "patchSettings": {
        "assessmentMode": "ImageDefault",
        "patchMode": "ImageDefault"
      },
      "provisionVmAgent": true,
      "ssh": {
        "publicKeys": [
          {
            "keyData": " ... ",
            "path": "/home/azureuser/.ssh/authorized_keys"
          }
        ]
      }
    },
    "requireGuestProvisionSignal": true,
    "secrets": [],
    "windowsConfiguration": null
  },
  "plan": null,
  "platformFaultDomain": null,
  "priority": null,
  "provisioningState": "Updating",
  "proximityPlacementGroup": null,
  "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE",
  "resources": [
    {
      "autoUpgradeMinorVersion": true,
      "enableAutomaticUpgrade": null,
      "forceUpdateTag": "1.0",
      "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-application-vm/extensions/AzureDiskEncryptionForLinux",
      "instanceView": null,
      "location": "westeurope",
      "name": "AzureDiskEncryptionForLinux",
      "protectedSettings": null,
      "protectedSettingsFromKeyVault": null,
      "provisioningState": "Creating",
      "publisher": "Microsoft.Azure.Security",
      "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE",
      "settings": {
        "EncryptionOperation": "EnableEncryption",
        "KekVaultResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
        "KeyEncryptionAlgorithm": "RSA-OAEP",
        "KeyEncryptionKeyURL": "https://cc-application-key-vault.vault.azure.net/keys/cc-application-cmk/abcdabcdabcdabcdabcdabcdabcdabcd",
        "KeyVaultResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
        "KeyVaultURL": "https://cc-application-key-vault.vault.azure.net/",
        "VolumeType": "OS"
      },
      "suppressFailures": null,
      "tags": null,
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "typeHandlerVersion": "1.1",
      "typePropertiesType": "AzureDiskEncryptionForLinux"
    }
  ],
  "scheduledEventsProfile": null,
  "securityProfile": null,
  "storageProfile": {
    "dataDisks": [],
    "imageReference": {
      "communityGalleryImageId": null,
      "exactVersion": "18.04.202204190",
      "id": null,
      "offer": "UbuntuServer",
      "publisher": "Canonical",
      "sharedGalleryImageId": null,
      "sku": "18_04-lts-gen2",
      "version": "latest"
    },
    "osDisk": {
      "caching": "ReadWrite",
      "createOption": "FromImage",
      "deleteOption": "Delete",
      "diffDiskSettings": null,
      "diskSizeGb": 30,
      "encryptionSettings": null,
      "image": null,
      "managedDisk": {
        "diskEncryptionSet": null,
        "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-application-vm_OsDisk_1_abcdabcdabcd",
        "resourceGroup": "cloud-shell-storage-westeurope",
        "securityProfile": null,
        "storageAccountType": "Premium_LRS"
      },
      "name": "cc-web-application-vm_OsDisk_1_abcdabcdabcd",
      "osType": "Linux",
      "vhd": null,
      "writeAcceleratorEnabled": null
    }
  },
  "tags": null,
  "timeCreated": "2021-09-20T18:08:39.137795+00:00",
  "type": "Microsoft.Compute/virtualMachines",
  "userData": null,
  "virtualMachineScaleSet": null,
  "vmId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "zones": null
}

11 Run vm create command (Windows/macOS/Linux) to launch a new Azure virtual machine (VM) with Server-Side Encryption (SSE) and customer-managed keys (CMKs) for the data disk volume(s) attached to the VM, using the configuration information returned at the previous step. Specify the name of the Azure disk encryption set created earlier in the Remediation section as the value of the --data-disk-encryption-sets parameter:

az vm create
  --name cc-web-application-cmk-encrypted
  --location westeurope
  --image UbuntuLTS
  --size Standard_B1ls
  --authentication-type ssh
  --admin-username azureuser
  --ssh-key-name cc-application-vm_key
  --data-disk-encryption-sets cc-app-disk-encryption-set
  --resource-group cloud-shell-storage-westeurope
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

12 If the command request was successful and the VM resource has been created, the command output should return the following configuration information:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-web-application-cmk-encrypted",
  "location": "westeurope",
  "macAddress": "AA-BB-CC-11-22-33",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.7",
  "publicIpAddress": "XXX.XXX.XXX.XXX",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "zones": ""
}

13 Transfer the data from the source virtual machine to the new (destination) virtual machine encrypted with Server-Side Encryption (SSE) and customer-managed keys (CMKs). For example, follow these steps to copy a managed disk.

14 (Optional) You can terminate the source virtual machine (VM) in order to stop incurring charges for the VM resource. To delete the source VM, run vm delete command (Windows/macOS/Linux) as shown in the following example:

az vm delete
  --name cc-web-application-vm
  --resource-group cloud-shell-storage-westeurope
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd

15 Type y (yes) and press Enter to confirm the virtual machine (VM) deletion:

Are you sure you want to perform this operation? (y/n): y

16 Repeat step no. 9 – 13 for each Azure virtual machine that you want to re-create, available within the current subscription.

17 Repeat steps no. 1 – 16 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Apr 28, 2022