- Knowledge Base
- Microsoft Azure
- Virtual Machines
- Server Side Encryption for Unattached Disk using CMK
Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (regardless of the VM attachment status) use platform-managed encryption keys. However, in order to have a more granular control over your data encryption/decryption process, it is strongly recommended to use your own keys (CMKs) instead of platform-managed keys (PMKs) for data (non-boot) disk volume encryption.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When you create and use your own customer-managed keys (CMKs) for unattached disk volumes, you gain full control over who can use the encryption keys and who can access the data encrypted on your managed disk volumes. Even if these managed disk volumes are not currently attached to any Azure virtual machines (VMs), there is always a risk where a compromised user account with administrative privileges can mount/attach the disks to a virtual machine, and this action can lead to sensitive and/or confidential data disclosure.
Audit
To determine if your unattached managed disk volumes are encrypted with customer-managed keys (CMKs), perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Disks blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2Fdisks to access all the managed disk volumes available for virtual machines (VMs).
03 Choose the Azure subscription that you want to access from the Subscription filter box.
04 Click on the name of the unattached disk volume that you want to examine. An unattached disk volume does not have an owner listed in the Owner column.
05 In the disk navigation panel, under Settings, select Encryption to access the Server-Side Encryption (SSE) configuration settings available for the selected disk volume.
06 On the Encryption configuration page, check the encryption type selected from the Encryption type dropdown list. If the encryption type selected is (Default) Encryption at-rest with a platform-managed key, Microsoft Azure Storage encryption is using platform-managed keys (PMKs) instead of a customer-managed keys (CMKs) to encrypt the data available on the selected unattached disk volume.
07 Repeat steps no. 4 – 6 for each unattached managed disk volume available in the selected subscription.
08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run disk list command (Windows/macOS/Linux) using custom query filters to list the ID of each unattached managed disk volume provisioned in the current subscription:
az disk list --query '[?diskState == `Unattached`].id'
02 The command output should return the requested disk volume identifiers (IDs):
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-web-application-vm_datadisk", "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-production-vm-server_datadisk" ]
03 Run disk show command (Windows/macOS/Linux) using the full ID of the unattached managed disk volume returned at the previous step as the identifier parameter, to describe the type of the encryption key configured for the selected disk volume:
az disk show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-web-application-vm_datadisk" --query 'encryption.type'
04 The command output should return the type of the requested encryption key:
"EncryptionAtRestWithPlatformKey"
If the disk show command output returns "EncryptionAtRestWithPlatformKey" instead of "EncryptionAtRestWithCustomerKey", Microsoft Azure Storage encryption is using platform-managed keys (PMKs) instead of a customer-managed keys (CMKs) to encrypt the data available on the selected unattached disk volume.
05 Repeat steps no. 3 and 4 for each unattached managed disk volume provisioned within the current subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.
Remediation / Resolution
To enable Server-Side Encryption (SSE) for your unattached managed disk volumes using customer-managed key (CMKs), perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and choose + Create to create the Azure key vault that will store your customer-managed key (CMK).
03 On the Create a key vault setup page, perform the following actions:
- On the Basics panel, choose the appropriate subscription and pricing tier, provide a unique name for the new key vault, and select the Azure region and resource group where the vault will be deployed. (Optional) You can choose whether or not to enable purge protection and set the number of days to retain the deleted vault. Choose Next to continue the setup process.
- On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure to retrieve secrets from the vault and unwrap encryption keys. (Optional) You can choose + Add Access Policy to add additional access policies to the key vault. Choose Next to continue.
- On the Networking panel, configure the network access control for the key vault. You can connect to the new key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint. Choose Next to continue the setup.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next to continue.
- On the Review + create panel, review the resource configuration details, then choose Create to create your new Microsoft Azure key vault.
04 Once the deployment process is complete, choose Go to resource to access the new key vault.
05 In the key vault navigation panel, under Settings, select Keys, then choose Generate/Import button to create the customer-managed key (CMK) required for the data disk volume encryption.
06 On the Create a key setup page, provide a unique name for the new key in the Name box, choose an activation and/or expiration date for the resource, select Enabled for activation, then choose Create to generate your new customer-managed key (CMK).
07 Navigate to the Disk Encryption Sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FdiskEncryptionSets and click + Create to create a new disk encryption set.
08 On the Create a disk encryption set setup page, perform the following operations:
- On the Basics panel, configure the following parameters:
- Select the appropriate subscription, resource group, and location/region (must match your unattached disk volume location).
- Choose the encryption type that you want to use for your unattached disk volume, either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys.
- Select the Azure key vault, the key, and the key version (i.e. Current version) created at the previous steps.
- (Optional) Select Auto key rotation to automatically rotate the key to the latest key version.
- Choose Next : Tags > to continue.
- On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the new key. Choose Next : Review + create > to continue.
- Select Review + create, validate the chosen parameters, and choose Create.
09 Once the deployment is complete, choose Go to resource. On the Overview page, you should see a red banner indicating that the associated key vault does not yet have permissions to access the new disk encryption set, prompting you to grant permissions. Click the arrow in the red banner to proceed. If needed, check the blade notification box from the top right to see a summary of the activity log and the notification that confirms the permission changes.
10 Navigate to the Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults, access the appropriate key vault, and choose Access policies in the vault navigation menu. Check for, or if needed, create an application-type permission for your new disk encryption set which includes the following key permissions: Get, Unwrap Key, and Wrap Key.
11 Navigate to Disks blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2Fdisks.
12 Choose the Azure subscription that you want to access from the Subscription filter box.
13 Click on the name of the unattached disk volume that you want to encrypt using your own customer-managed key (CMK). An unattached disk volume does not have an owner listed in the Owner column.
14 In the disk navigation panel, under Settings, select Encryption to access the Server-Side Encryption (SSE) configuration settings available for the selected disk volume.
15 On the Encryption page, select either Encryption at-rest with a customer-managed key or Double encryption with platform-managed and customer-managed keys from the Encryption type dropdown list and choose the encryption set created earlier in the Remediation process from the Disk encryption set dropdown list. Choose Save to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected unattached disk volume.
16 Repeat steps no. 13 – 15 for each unattached managed disk volume available in the selected subscription.
17 Repeat steps no. 2 – 16 for each subscription available in your Microsoft Azure cloud account.
Using Azure CLI
01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required customer-managed key (CMK) will be placed. Make sure that you specify the Azure subscription that you want to use:
az keyvault create --name cc-vm-key-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enable-purge-protection true --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
02 The command output should return the configuration information available for the new Azure key vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-vm-key-vault", "location": "westeurope", "name": "cc-vm-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "all" ], "keys": [ "all" ], "secrets": [ "all" ], "storage": [ "all" ] }, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": null, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-vm-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2022-04-26T13:48:11.861000+00:00", "createdBy": "user@domain.com", "createdByType": "User", "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00", "lastModifiedBy": "user@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
03 Run keyvault key create command (Windows/macOS/Linux) to create a new Azure customer-managed key (CMK), necessary to encrypt your unattached managed disk volume:
az keyvault key create --name cc-vm-disk-cmk --vault-name cc-vm-key-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2022-10-22T10:00:00Z" --protection software --disabled false --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
04 The command output should return the configuration information available for the new encryption key:
{ "attributes": { "created": "2022-04-26T13:53:44+00:00", "enabled": true, "expires": "2022-10-22T10:00:00+00:00", "exportable": null, "notBefore": null, "recoverableDays": 90, "recoveryLevel": "Recoverable", "updated": "2022-04-26T13:53:44+00:00" }, "key": { "crv": null, "d": null, "dp": null, "dq": null, "e": "AQAB", "k": null, "keyOps": [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey" ], "kid": "https://cc-vm-key-vault.vault.azure.net/keys/cc-vm-disk-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "kty": "RSA", "n": " ... ", "p": null, "q": null, "qi": null, "t": null, "x": null, "y": null }, "managed": null, "releasePolicy": null, "tags": null }
05 Run disk-encryption-set create command (Windows/macOS/Linux) to create an Azure disk encryption set using the ID of the newly created encryption key for the --key-url parameter:
az disk-encryption-set create --key-url https://cc-vm-key-vault.vault.azure.net/keys/cc-vm-disk-cmk/abcdabcdabcdabcdabcdabcdabcdabcd --name cc-vm-disk-encryption-set --resource-group cloud-shell-storage-westeurope --encryption-type EncryptionAtRestWithCustomerKey --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
06 The command output should return the configuration information available for the new disk encryption set:
{ "activeKey": { "keyUrl": "https://cc-vm-key-vault.vault.azure.net/keys/cc-vm-disk-cmk/abcdabcdabcdabcdabcdabcdabcdabcd", "sourceVault": null }, "encryptionType": "EncryptionAtRestWithCustomerKey", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-vm-disk-encryption-set", "identity": { "principalId": "1234abcd-1234-abcd-1234-abcd1234abcd", "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "type": "SystemAssigned" }, "lastKeyRotationTimestamp": null, "location": "westeurope", "name": "cc-vm-disk-encryption-set", "previousKeys": null, "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "rotationToLatestKeyVersionEnabled": null, "tags": null, "type": "Microsoft.Compute/diskEncryptionSets" }
07 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy for the Azure key vault created previously, to assign the get, wrapKey, and unwrapKey key permissions to the policy principal (i.e. the new disk encryption set). The --object-id parameter value represents the principal ID of the new disk encryption set ("principalId" attribute value returned at the previous step):
az keyvault set-policy --name cc-vm-key-vault --resource-group cloud-shell-storage-westeurope --key-permissions get wrapKey unwrapKey --object-id 1234abcd-1234-abcd-1234-abcd1234abcd --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
08 The command output should return the configuration information available for the modified key vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-vm-key-vault", "location": "westeurope", "name": "cc-vm-key-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "permissions": { "certificates": [ "all" ], "keys": [ "all" ], "secrets": [ "all" ], "storage": [ "all" ] }, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd" } ], "createMode": null, "enablePurgeProtection": true, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": false, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": null, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "vaultUri": "https://cc-vm-key-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2022-04-26T13:48:11.861000+00:00", "createdBy": "user@domain.com", "createdByType": "User", "lastModifiedAt": "2022-04-26T13:48:11.861000+00:00", "lastModifiedBy": "user@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
09 Run disk update command (Windows/macOS/Linux) using the name of the unattached disk volume that you want to reconfigure as the identifier parameter, to enable Server-Side Encryption (SSE) with customer-managed keys (CMKs) for the selected managed disk volume:
az disk update --name cc-web-application-vm_datadisk --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set cc-vm-disk-encryption-set --resource-group cloud-shell-storage-westeurope --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
10 If the command request was successful, the command output should return the configuration information available for the modified disk volume, as shown in the output example below:
{ "burstingEnabled": null, "completionPercent": null, "creationData": { "createOption": "FromImage", "galleryImageReference": null, "imageReference": { "id": "/Subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/Providers/Microsoft.Compute/Locations/westeurope/Publishers/canonical/ArtifactTypes/VMImage/Offers/0001-com-ubuntu-server-focal/Skus/20_04-lts-gen2/Versions/20.04.202204190", "lun": null }, "logicalSectorSize": null, "securityDataUri": null, "sourceResourceId": null, "sourceUniqueId": null, "sourceUri": null, "storageAccountId": null, "uploadSizeBytes": null }, "dataAccessAuthMode": null, "diskAccessId": null, "diskIopsReadOnly": null, "diskIopsReadWrite": 120, "diskMBpsReadOnly": null, "diskMBpsReadWrite": 25, "diskSizeBytes": 32213303296, "diskSizeGb": 30, "diskState": "Reserved", "encryption": { "diskEncryptionSetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/diskEncryptionSets/cc-vm-disk-encryption-set", "type": "EncryptionAtRestWithCustomerKey" }, "encryptionSettingsCollection": null, "extendedLocation": null, "hyperVGeneration": "V2", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-web-application-vm_datadisk", "location": "westeurope", "managedByExtended": null, "maxShares": null, "name": "cc-web-application-vm_datadisk", "networkAccessPolicy": "AllowAll", "propertyUpdatesInProgress": null, "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "purchasePlan": null, "resourceGroup": "cloud-shell-storage-westeurope", "securityProfile": null, "shareInfo": null, "sku": { "name": "Premium_LRS", "tier": "Premium" }, "supportedCapabilities": { "acceleratedNetwork": true, "architecture": "x64" }, "supportsHibernation": null, "tags": null, "tier": "P4", "timeCreated": "2022-04-27T11:20:40.949818+00:00", "type": "Microsoft.Compute/disks", "uniqueId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "zones": null }
11 Repeat steps no. 9 and 10 for each unattached managed disk volume provisioned within the current subscription.
12 Repeat steps no. 1 – 11 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Server-side encryption of Azure Disk Storage
- Overview of managed disk encryption options
- Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks
- Use the Azure CLI to enable server-side encryption with customer-managed keys for managed disks
- Upload a VHD to Azure or copy a managed disk to another region - Azure CLI
- Azure PowerShell Documentation
- az disk list
- az disk show
- az keyvault create
- az keyvault key create
- az disk-encryption-set create
- az keyvault set-policy
- az disk update