- Knowledge Base
- Microsoft Azure
- Virtual Machines
- Use Customer Managed Keys for Virtual Hard Disk Encryption
Ensure that your Microsoft Azure Virtual Hard Disk (VHD) volumes are using Customer Managed Keys (CMKs) instead of Platform-Managed Keys (PMKs – default keys used by Microsoft Azure for disk encryption) in order to have full control over your VHD data encryption and decryption process. Virtual Hard Disks are the old style disks that were attached to Azure virtual machines (VMs). VHDs are stored in blob storage accounts.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
optimisation
To meet security and compliance requirements, the data stored on both managed and "legacy" disk volumes must be encrypted at rest. When you create and use your own Customer Managed Keys with Azure Virtual Hard Disk (VHD) volumes, you gain full control over who can use the encryption keys and who can access the data encrypted on your VHD volumes. You can disable your CMKs, revoke access to your VHDs at any time, and audit the encryption keys usage with Azure Key Vault monitoring to ensure that only trusted Azure services and resources are accessing your keys.
Audit
To determine if your Virtual Hard Disk (VHD) volumes are encrypted using Customer Managed Keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to the Azure Management Portal.
02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Microsoft Azure resources.
03 Choose the Azure subscription that you want to examine from the Subscription filter box.
04 From the Type filter box, select Disk to list the disk volumes deployed within the selected subscription.
05 Click on the name (link) of the disk volume that you want to examine.
06 In the blade navigation panel, under Settings, select Encryption to access the server-side encryption settings available for the selected resource.
07 On the Encryption configuration page, check the type of the encryption key selected from the Encryption type dropdown list. If the (Default) Encryption at-rest with a platform-managed key type is selected, the verified Virtual Hard Disk (VHD) volume is encrypted using a platform-managed key (PMK) instead of a Customer Managed Key (CMK).
08 Repeat steps no. 5 – 7 for each Virtual Hard Disk (VHD) available in the selected subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run disk list command (Windows/macOS/Linux) with custom query filters to list the ID of each disk volume provisioned within the current Azure subscription:
az disk list --query '[*].id'
02 The command output should return the requested resource identifiers (IDs):
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-project5-vhd", "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-prod-os-disk", ]
03 Run disk show command (Windows/macOS/Linux) using the ID of the Virtual Hard Disk (VHD) volume that you want to examine as the identifier parameter to describe the type of the encryption key used by the selected VHD:
az disk show --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-project5-vhd" --query 'encryption.type'
04 The command output should return the type of the encryption key used:
"EncryptionAtRestWithPlatformKey"
If the disk show command output returns "EncryptionAtRestWithPlatformKey" for the encryption key type, the selected Virtual Hard Disk (VHD) volume is encrypted using a platform-managed key (PMK) instead of a Customer Managed Key (CMK).
05 Repeat steps no. 3 and 4 for each Virtual Hard Disk (VHD) available within the current subscription.
06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.
Remediation / Resolution
To encrypt Microsoft Azure Virtual Hard Disk (VHD) volumes using Customer Managed Keys (CMKs), perform the following actions:
Using Azure Portal
01 Sign in to Azure Management Portal.
02 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults and click + Create to create the Azure Key Vault that will store your new Customer Managed Key.
03 On the Create key vault setup page, perform the following commands:
- For Basics, choose the appropriate subscription and resource group, provide a unique name for the new key vault, then select the Azure cloud region where the vault will be deployed. You can also choose the pricing tier for the key vault at this point. Choose Next : Access policy > to continue.
- For Access policy, select Vault access policy for Permission model, and choose + Add Access Policy to create the policy that allows Azure to retrieve, recover, wrap, and unwrap encryption keys from the new vault. Once the access policy is configured, choose Add to attach it to the key vault. Choose Next : Networking > to continue the setup process.
- For Networking, configure the network access control for the new key vault. Select the Connectivity method that you want to use and ensure that only trusted Azure services and/or networks can access your vault. Choose Next : Tags > to continue.
- For Tags, use the Name and Value fields to create tags that will help organize the identity of the key vault. Choose Next : Review + create > to validate the setup.
- For Review + create, review the resource configuration details, then choose Create to create your new Azure Key Vault.
04 Click on the name of the newly created Microsoft Azure Key Vault.
05 In the blade navigation panel, under Settings, select Keys, then choose + Generate/Import to create the Customer Managed Key required for the Azure Storage accounts encryption.
06 On the Create a key setup page, provide a unique name for the encryption key in the Name box, choose an activation and/or expiration date, set the Enabled flag to Yes, then choose Create to generate your new Customer Managed Key (CMK).
07 Navigate to Disk Encryption Sets blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FdiskEncryptionSets.
08 Choose the Azure subscription that you want to access from the Subscription filter box.
09 Choose + Create to create a new disk encryption set. A disk encryption set allows you to manage encryption keys using Server-Side Encryption for Microsoft Azure disks.
10 On the Create a disk encryption set setup page, perform the following actions:
- For Basics, choose the appropriate subscription and resource group, provide a unique name for the new disk encryption set, select the Azure cloud region where the encryption set will be deployed, select the encryption type, then choose the Azure Key Vault and Customer Managed Key (CMK) created earlier in the Remediation process. Choose Next : Tags > to continue.
- For Tags, use the Name and Value fields to create tags that will help organize the identity of the encryption set. Choose Next : Review + create > to validate the setup.
- For Review + create, review the resource configuration details, then choose Create to create your new disk encryption set.
11 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll.
12 Choose the Azure subscription that you want to access from the Subscription filter box.
13 From the Type filter box, select Disk to list the disk volumes deployed in the selected subscription.
14 Click on the name of the disk volume that you want to reconfigure.
15 In the blade navigation panel, under Settings, select Encryption to access the server-side encryption settings available for the selected resource.
16 On the Encryption page, select Encryption at-rest with a customer-managed key from the Encryption type dropdown menu, then choose the newly created encryption set from the Disk encryption set dropdown list. Choose Save to apply the configuration changes.
17 Repeat steps no. 13 – 15 for each Virtual Hard Disk (VHD) available in the selected subscription.
18 Repeat steps no. 2 – 16 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required Customer Managed Key will be placed:
az keyvault create --name cc-production-vault --resource-group cloud-shell-storage-westeurope --location westeurope --enabled-for-deployment true --enabled-for-template-deployment true --query 'properties.accessPolicies[*].objectId'
02 The command output should return the object ID of the new Microsoft Azure Key Vault:
[ "abcdabcd-1234-1234-1234-abcdabcdabcd" ]
03 Run keyvault set-policy command (Windows/macOS/Linux) using the object ID and the name of the newly created key vault as the identifier parameters to assign the right permissions for the selected vault:
az keyvault set-policy --name cc-production-vault --object-id abcdabcd-1234-1234-1234-abcdabcdabcd --key-permissions get recover unwrapKey wrapKey
04 The command output should return the modified key vault configuration metadata:
{ "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault", "location": "westeurope", "name": "cc-production-vault", "properties": { "accessPolicies": [ { "applicationId": null, "objectId": "abcdabcd-1234-1234-1234-abcdabcdabcd", "permissions": { "certificates": [ "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover" ], "keys": [ "get", "wrapKey", "recover", "unwrapKey" ], "secrets": [ "get", "list", "set", "delete", "backup", "restore", "recover" ], "storage": [ "get", "list", "delete", "set", "update", "regeneratekey", "setsas", "listsas", "getsas", "deletesas" ] }, "tenantId": "abcdabcd-1234-1234-1234-abcdabcdabcd" } ], "createMode": null, "enablePurgeProtection": null, "enableRbacAuthorization": null, "enableSoftDelete": true, "enabledForDeployment": true, "enabledForDiskEncryption": null, "enabledForTemplateDeployment": true, "hsmPoolResourceId": null, "networkAcls": null, "privateEndpointConnections": null, "provisioningState": "Succeeded", "sku": { "family": "A", "name": "standard" }, "softDeleteRetentionInDays": 90, "tenantId": "abcdabcd-1234-1234-1234-abcdabcdabcd", "vaultUri": "https://cc-production-vault.vault.azure.net/" }, "resourceGroup": "cloud-shell-storage-westeurope", "systemData": { "createdAt": "2021-10-12T08:46:41.338000+00:00", "createdBy": "admin@domain.com", "createdByType": "User", "lastModifiedAt": "2021-10-12T08:45:05.813000+00:00", "lastModifiedBy": "admin@domain.com", "lastModifiedByType": "User" }, "tags": {}, "type": "Microsoft.KeyVault/vaults" }
05 Run keyvault key create command (Windows/macOS/Linux) to create the Customer Managed Key (CMK), required to encrypt data for your Virtual Hard Disk (VHD) volume(s):
az keyvault key create --name cc-production-cmk --vault-name cc-production-vault --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey --expires "2022-12-10T10:30:00Z" --protection software --disabled false --query 'key.kid'
06 The command output should return the URL of the new CMK:
https://cc-project5-vault.vault.azure.net/keys/cc-production-cmk/12345678901234567890123456789012
07 Run az disk-encryption-set create command (Windows/macOS/Linux) to create the Azure disk encryption set required to encrypt the data on your VHD volume:
az disk-encryption-set create --name cc-project5-encryption-set --key-url https://cc-project5-vault.vault.azure.net/keys/cc-production-cmk/12345678901234567890123456789012 --source-vault cc-production-vault --resource-group cloud-shell-storage-westeurope --location westeurope --encryption-type EncryptionAtRestWithCustomerKey
08 The command output should return the metadata available for the newly created encryption set:
{ "activeKey": { "keyUrl": "https://cc-production-vault.vault.azure.net/keys/cc-production-cmk/12345678901234567890123456789012", "sourceVault": { "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault" } }, "encryptionType": "EncryptionAtRestWithCustomerKey", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-project5-encryption-set", "identity": { "principalId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "type": "SystemAssigned" }, "lastKeyRotationTimestamp": null, "location": "westeurope", "name": "cc-project5-encryption-set", "previousKeys": null, "provisioningState": "Succeeded", "resourceGroup": "cloud-shell-storage-westeurope", "rotationToLatestKeyVersionEnabled": null, "tags": null, "type": "Microsoft.Compute/diskEncryptionSets" }
09 Run az disk update command (Windows/macOS/Linux) using the ID of the Virtual Hard Disk (VHD) volume that you want to reconfigure as the identifier parameter, to enable encryption at rest using the Azure disk encryption set created at the previous steps:
az disk update --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-project5-vhd" --disk-encryption-set "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/diskEncryptionSets/cc-project5-encryption-set" --encryption-type "EncryptionAtRestWithCustomerKey"
10 The output should return the az disk update command request metadata:
{ "burstingEnabled": null, "creationData": { "createOption": "Empty", "galleryImageReference": null, "imageReference": null, "logicalSectorSize": null, "sourceResourceId": null, "sourceUniqueId": null, "sourceUri": null, "storageAccountId": null, "uploadSizeBytes": null }, "diskAccessId": null, "diskIopsReadOnly": null, "diskIopsReadWrite": 500, "diskMBpsReadOnly": null, "diskMBpsReadWrite": 60, "diskSizeBytes": 34359738368, "diskSizeGb": 32, "diskState": "Unattached", "encryption": { "diskEncryptionSetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/diskEncryptionSets/cc-project5-encryption-set", "type": "EncryptionAtRestWithCustomerKey" }, "encryptionSettingsCollection": null, "extendedLocation": null, "hyperVGeneration": null, "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/disks/cc-project5-vhd", "location": "westeurope", "managedBy": null, "managedByExtended": null, "maxShares": null, "name": "cc-project5-vhd", "networkAccessPolicy": "AllowAll", "osType": null, "propertyUpdatesInProgress": null, "provisioningState": "Succeeded", "purchasePlan": null, "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE", "securityProfile": null, "shareInfo": null, "sku": { "name": "Standard_LRS", "tier": "Standard" }, "supportsHibernation": null, "tags": null, "tier": null, "timeCreated": "2021-10-16T09:38:03.866248+00:00", "type": "Microsoft.Compute/disks", "uniqueId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "zones": null }
11 Repeat steps no. 9 and 10 for each Virtual Hard Disk (VHD) available within the current subscription.
12 Repeat steps no. 1 – 11 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Azure Disk Encryption Overview
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- DP-5: Encrypt sensitive data at rest
- Quickstart: Create and encrypt a Windows VM with the Azure CLI
- Azure PowerShell Documentation
- az disk list
- az disk show
- az disk update
- az disk-encryption-set
- az keyvault create
- az keyvault set-policy
- az keyvault key